#VU60986 Input validation error in Jackson Dataformats Binary


Published: 2022-03-03

Vulnerability identifier: #VU60986

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-28491

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jackson Dataformats Binary
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jackson Dataformats Binary: 2.8.0 - 2.12.0

External links
http://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
http://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
http://github.com/FasterXML/jackson-dataformats-binary/issues/186

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Observability with Instana (OnPrem)
Multiple vulnerabilities in IBM Sterling Order Management
Multiple vulnerabilities in Dell CloudLink
Multiple vulnerabilities in Autodesk InfraWorks
IBM Log Analysis update for FasterXML jackson-dataformat-cbor
Multiple vulnerabilities in IBM Security Access Manager
Multiple vulnerabilities in Oracle WebLogic Server
Multiple vulnerabilities in IBM Security Guardium
SUSE update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core
Multiple vulnerabilities in OpenShift Logging