CVE
GHSA-3x8x-79m2-3w2w
jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Package Versions Affected
Package Version
patch Availability
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Related Resources
No items found.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-46877, https://github.com/FasterXML/jackson-databind/issues/3328, https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb, https://github.com/FasterXML/jackson-databind, https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6, https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1, https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
Basic Information
Ecosystem
