Out-of-bounds write in jackson-databind

#VU61799 Out-of-bounds write in jackson-databind

Published: 2022-04-01 | Updated: 2022-11-02

Vulnerability identifier: #VU61799

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.12.0 - 2.12.6, 2.13.0 - 2.13.2

CPE

cpe:2.3:a:fasterxml:jackson-databind:2.12.6:*:*:*:*:*:*:*

External links
http://github.com/FasterXML/jackson-databind/issues/2816
http://github.com/advisories/GHSA-57j2-w4cx-62h2

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Out-of-bounds write in IBM Watson Discovery Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in IBM Voice Gateway

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in OpenShift Logging 5.6

Out-of-bounds write in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in Stream Analytics

Multiple vulnerabilities in Oracle Commerce Guided Search

Out-of-bounds write in IBM Sterling B2B Integrator

Out-of-bounds write in IBM Common Licensing

Multiple vulnerabilities in IBM Tivoli Network Manager