Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2020-36518
Back to All
CVE

CVE-2020-36518

Deeply nested json in jackson-databind

Description

jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

Base CVSS

7.5

EPSS Score

0.56%

Introduced Version

2.0.0-RC1

Fix Available

2.12.6.1,2.13.2.1

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.2
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.1
CVES Fixed
C
24
H
40
M
0
L
0
Code Changed
+1052
-190
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.5
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+294
-21
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.1.3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1229
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.4
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+312
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.6
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1320
-56
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.10.4
CVES Fixed
C
0
H
25
M
0
L
0
Code Changed
+397
-33
Package Name
com.fasterxml.jackson.core:jackson-databind
2.5.1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1220
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.0-rc3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1217
-12
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.0.0-RC1
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1391
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.2
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1229
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.9.6
CVES Fixed
C
13
H
35
M
0
L
0
Code Changed
+852
-20
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.5
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+312
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.1.4
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1395
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.10.5
CVES Fixed
C
0
H
21
M
0
L
0
Code Changed
+380
-33
Package Name
com.fasterxml.jackson.core:jackson-databind
2.1.2
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1395
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.1.1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1231
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.0-rc1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.3
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+294
-22
Package Name
com.fasterxml.jackson.core:jackson-databind
2.11.2
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+301
-36
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.1.2
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1229
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.10.3
CVES Fixed
C
3
H
35
M
0
L
0
Code Changed
+739
-135
Package Name
com.fasterxml.jackson.core:jackson-databind
2.0.0-RC3
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1379
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.13.2
CVES Fixed
C
0
H
3
M
0
L
0
Code Changed
+285
-7
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.0
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+294
-21
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.2
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+312
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1231
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.10.2
CVES Fixed
C
4
H
35
M
0
L
0
Code Changed
+742
-135
Package Name
com.fasterxml.jackson.core:jackson-databind
2.13.1
CVES Fixed
C
0
H
3
M
0
L
0
Code Changed
+285
-7
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.3
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+312
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.0.pr3
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+312
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.5.0-rc1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1220
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.2.1
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1394
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.10.1
CVES Fixed
C
5
H
35
M
0
L
0
Code Changed
+746
-135
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.0-rc1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1217
-12
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.5
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1243
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.9.5
CVES Fixed
C
14
H
37
M
0
L
0
Code Changed
+860
-18
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.6
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1218
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.0
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.4
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1243
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.0
CVES Fixed
C
24
H
40
M
0
L
0
Code Changed
+1133
-181
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.11.2
CVES Fixed
C
21
H
37
M
0
L
0
Code Changed
+847
-39
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.0-rc2
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.0.2
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1379
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.6
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1228
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.9.2
CVES Fixed
C
23
H
39
M
0
L
0
Code Changed
+916
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.7.2
CVES Fixed
C
21
H
40
M
0
L
0
Code Changed
+967
-21
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.5.1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1228
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.1.5
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1395
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.0.pr2
CVES Fixed
C
25
H
40
M
0
L
0
Code Changed
+880
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.6
CVES Fixed
C
0
H
3
M
0
L
0
Code Changed
+223
-20
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.0
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1231
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.2
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1351
-47
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.8.1
CVES Fixed
C
25
H
40
M
0
L
0
Code Changed
+1283
-140
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.8
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1446
-107
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.11.3
CVES Fixed
C
14
H
37
M
0
L
0
Code Changed
+834
-42
Package Name
com.fasterxml.jackson.core:jackson-databind
2.0.6
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1379
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.0-rc3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.2.2
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1394
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.4
CVES Fixed
C
23
H
39
M
0
L
0
Code Changed
+840
-143
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1217
-12
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.4
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+294
-22
Package Name
com.fasterxml.jackson.core:jackson-databind
2.11.3
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+301
-36
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.0
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+312
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.0.pr2
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+411
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.10
CVES Fixed
C
8
H
35
M
0
L
0
Code Changed
+755
-135
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.9.4
CVES Fixed
C
21
H
37
M
0
L
0
Code Changed
+873
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.6.1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1228
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.5.5
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1220
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.0.pr4
CVES Fixed
C
25
H
40
M
0
L
0
Code Changed
+1134
-179
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.0-rc1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1235
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.11.1
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+301
-36
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.11.4
CVES Fixed
C
13
H
35
M
0
L
0
Code Changed
+610
-43
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.4
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1343
-102
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.7.5
CVES Fixed
C
0
H
3
M
0
L
0
Code Changed
+719
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.10.0.pr1
CVES Fixed
C
0
H
5
M
0
L
0
Code Changed
+413
-35
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.0-rc1
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+294
-21
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.10
CVES Fixed
C
24
H
40
M
0
L
0
Code Changed
+1174
-103
Package Name
com.fasterxml.jackson.core:jackson-databind
2.2.3
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1394
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.7
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1218
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.7.3
CVES Fixed
C
6
H
35
M
0
L
0
Code Changed
+2089
-348
Package Name
com.fasterxml.jackson.core:jackson-databind
2.7.1
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1244
-16
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.0-rc2
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1217
-12
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.0.pr3
CVES Fixed
C
25
H
40
M
0
L
0
Code Changed
+806
-77
Package Name
com.fasterxml.jackson.core:jackson-databind
2.13.0-rc1
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+356
-9
Package Name
com.fasterxml.jackson.core:jackson-databind
2.12.2
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+294
-21
Package Name
com.fasterxml.jackson.core:jackson-databind
2.0.0-RC2
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1379
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.7.1
CVES Fixed
C
25
H
40
M
0
L
0
Code Changed
+2089
-267
Package Name
com.fasterxml.jackson.core:jackson-databind
2.13.0-rc2
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+354
-10
Package Name
com.fasterxml.jackson.core:jackson-databind
2.3.5
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1390
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1347
-53
Package Name
com.fasterxml.jackson.core:jackson-databind
2.13.0
CVES Fixed
C
0
H
4
M
0
L
0
Code Changed
+356
-9
Package Name
com.fasterxml.jackson.core:jackson-databind
2.1.3
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1395
-0
Package Name
com.fasterxml.jackson.core:jackson-databind
2.9.9.2
CVES Fixed
C
13
H
35
M
0
L
0
Code Changed
+771
-135
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.11.1
CVES Fixed
C
22
H
39
M
0
L
0
Code Changed
+856
-39
Package Name
com.fasterxml.jackson.core:jackson-databind
2.4.0-rc3
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1235
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.8.11
CVES Fixed
C
23
H
40
M
0
L
0
Code Changed
+914
-43
Package Name
com.fasterxml.jackson.core:jackson-databind
2.6.7
CVES Fixed
C
26
H
40
M
0
L
0
Code Changed
+1217
-15
Package Name
com.fasterxml.jackson.core:jackson-databind
2.3.4
CVES Fixed
C
26
H
39
M
0
L
0
Code Changed
+1390
-0

References

https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de
https://github.com/FasterXML/jackson-databind/issues/2816
https://www.oracle.com/security-alerts/cpuapr2022.html
https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.netapp.com/advisory/ntap-20220506-0004
https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd
https://github.com/FasterXML/jackson-databind
https://nvd.nist.gov/vuln/detail/CVE-2020-36518
https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b
https://www.debian.org/security/2022/dsa-5283
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
https://www.oracle.com/security-alerts/cpujul2022.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01