CVE-2020-28491
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-28491
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28491.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-28491
- Aliases
- Downstream
- Related
- Published
- 2021-02-18T16:15:13Z
- Modified
- 2025-10-30T00:45:53.363005Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
- References
Affected packages
Git / github.com/fasterxml/jackson-dataformats-binary
Affected ranges
- Type
- GIT
- Repo
- https://github.com/fasterxml/jackson-dataformats-binary
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
jackson-dataformats-binary-2.*
jackson-dataformats-binary-2.10.0
jackson-dataformats-binary-2.10.0.pr1
jackson-dataformats-binary-2.10.0.pr2
jackson-dataformats-binary-2.10.0.pr3
jackson-dataformats-binary-2.10.1
jackson-dataformats-binary-2.10.2
jackson-dataformats-binary-2.10.3
jackson-dataformats-binary-2.10.4
jackson-dataformats-binary-2.10.5
jackson-dataformats-binary-2.11.0
jackson-dataformats-binary-2.11.0.rc1
jackson-dataformats-binary-2.11.1
jackson-dataformats-binary-2.11.2
jackson-dataformats-binary-2.11.3
jackson-dataformats-binary-2.8.0
jackson-dataformats-binary-2.8.0.rc1
jackson-dataformats-binary-2.8.0.rc2
jackson-dataformats-binary-2.8.1
jackson-dataformats-binary-2.8.10
jackson-dataformats-binary-2.8.11
jackson-dataformats-binary-2.8.2
jackson-dataformats-binary-2.8.3
jackson-dataformats-binary-2.8.4
jackson-dataformats-binary-2.8.5
jackson-dataformats-binary-2.8.6
jackson-dataformats-binary-2.8.7
jackson-dataformats-binary-2.8.8
jackson-dataformats-binary-2.8.9
jackson-dataformats-binary-2.9.0
jackson-dataformats-binary-2.9.0.pr1
jackson-dataformats-binary-2.9.0.pr2
jackson-dataformats-binary-2.9.0.pr3
jackson-dataformats-binary-2.9.0.pr4
jackson-dataformats-binary-2.9.1
jackson-dataformats-binary-2.9.10
jackson-dataformats-binary-2.9.2
jackson-dataformats-binary-2.9.3
jackson-dataformats-binary-2.9.4
jackson-dataformats-binary-2.9.5
jackson-dataformats-binary-2.9.6
jackson-dataformats-binary-2.9.7
jackson-dataformats-binary-2.9.8
jackson-dataformats-binary-2.9.9
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"129983155497639191821232729987906768590",
"293721718097756488639842468111192569958",
"277084483174521411667096336893893552039",
"327950003078725394238594746057898134396",
"90358465180018884696325127426795283433",
"32046326522691793560477738231319690675",
"129502278070894466149979291530589893008",
"232629767048977343073560288718428436817",
"256097333289448449389483771575020193030",
"106606627730428513147546610508871963184",
"25585344382680633111074017748753085804",
"5100276345026810479043727905114164406",
"321268313926450555153135542864676488572",
"327876982926057006583313670332935291689",
"21838303680019300127876574403161259481",
"67709398790751532445333746567443784986",
"56783431110364640156774298954688069741",
"337701623603561665201730327643043411740",
"65074913798098046064880138043397506537",
"196085477388162190113911383995920223225",
"218459687528603701055254638388721989634",
"166427403261253523661464004669658013164",
"296952275590201602347985611437168983378",
"177939048048205355807484105278018514921",
"36043301171711945796036643856087427323",
"274824825744177424663278282307424272372",
"278514542567996661184735554378843888287",
"318772613548819191477071427544588772209",
"325051459090327163649805835726370373250",
"43759424000242679966655295523741071057",
"202104046224665685100848242685295024521",
"73726737732190831612647247731356203998",
"290159510129303302105228511105620619398",
"302186350127742671400415888881254124593",
"338529064238834256711224528964915477865",
"316712323200081705766394325361131154443",
"1680890575939264076067885112541104730",
"171067707598149894936208036274920719631",
"42901989861396535960874244916232830975",
"147840393942686607977524498973952351660",
"321934946151966803547262389627853960039",
"31603957422268562336019888034252688236",
"155441650641331400118754750039884930924",
"242794240806336798223930833137119166850",
"206903644196711083705257983950496989737",
"83772662390265721985494413751827400968",
"195001702550610504286888798822182878192",
"191488667509288959197348735967244936916",
"25585344382680633111074017748753085804",
"5100276345026810479043727905114164406",
"291379714798149480470984844890582812399",
"299874382837472514861433092753620775607",
"248234090661109185925145951854811301324",
"20963995269190925250804656088824813206",
"104567563143988142563870835667649724170",
"196235263204402402609763157836752369823",
"151757446087398289622995848660147899636",
"258757145405178391180794398220819150294",
"106519248053627447208732498316250623012",
"323463837471766102646408590666503129424",
"160189882639841371924360294416448527409",
"235146744732920406682969336417271593953",
"40860746391389089246239248198686067914",
"206213146143000379543054723917779547703",
"74635240172505085265429406546657775765",
"294505490826375021136667253204022143196",
"81865039181064509093556433364270165969",
"162496388304201938555696298351945565569"
]
},
"target": {
"file": "cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java"
},
"id": "CVE-2020-28491-0ebbf2d0",
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"function_hash": "18576926615204975445573486525009627693",
"length": 1339.0
},
"target": {
"function": "_finishBytes",
"file": "cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java"
},
"id": "CVE-2020-28491-6c2fe96d",
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"function_hash": "133583911733986147634947244890322136993",
"length": 396.0
},
"target": {
"function": "_readAndWriteBytes",
"file": "cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java"
},
"id": "CVE-2020-28491-d02d9295",
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"function_hash": "250093413643581265500582662402343291543",
"length": 528.0
},
"target": {
"function": "testCorruptVeryLongBinary",
"file": "cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/failing/BrokenLongBinary186Test.java"
},
"id": "CVE-2020-28491-f0bd70c0",
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"246800345423135692582171137264117158399",
"203247005902182406251857672334776410423",
"188831964508150588921972691085375264994",
"175302170851142590452665831559816457889",
"325566956706907097326739271493722429060",
"59390975657142484646348414648889502443",
"301732068583506116245146746134284490402",
"39115216093159656302879503426757917099",
"320216939997167431237265052092530217091",
"241476131684266328850980344216308011129",
"271201860604088826282660457755475539691",
"227367983070827541848635707835717238580",
"135967562241849933856414360756167589405",
"171279783161637924970486287673373715269",
"24393685379264252497193153162126591343",
"147243851137440751584877449674307599303",
"228711167884539430473509455367961697513",
"72571201198871009329158081961387733988",
"243228197233131270282623268308941239884",
"83394137749162493113866250919367758159",
"285175852603903057527171414908876590790",
"129938880201533632891819795385289412487",
"91346598705182248979770769375061916937",
"303366485401885038260486055081342080879",
"26035181553770217152310349951669607821",
"299509819860536002629293172949335238616",
"318458011858797955580024688403837128873",
"318479626346718256823842507034274753779"
]
},
"target": {
"file": "cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/failing/BrokenLongBinary186Test.java"
},
"id": "CVE-2020-28491-f42175e3",
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false
}
]