GHSA-xmc8-26q4-qjhx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xmc8-26q4-qjhx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-xmc8-26q4-qjhx/GHSA-xmc8-26q4-qjhx.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xmc8-26q4-qjhx
- Aliases
- Published
- 2021-12-09T19:17:21Z
- Modified
- 2025-01-08T07:27:14.056172Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Denial of Service (DoS) in Jackson Dataformat CBOR
- Details
-
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 2.8.0-rc1 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
- Database specific
{ "severity": "HIGH", "github_reviewed_at": "2021-03-16T00:43:00Z", "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "nvd_published_at": "2021-02-18T16:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28491
- https://github.com/FasterXML/jackson-dataformats-binary/issues/186
- https://github.com/FasterXML/jackson-dataformats-binary/commit/3d7de83423f8f68f8e9a0c8250084e11818544c7
- https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
- https://github.com/FasterXML/jackson-dataformats-binary
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Maven
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
Package
- Name
- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor
Affected versions
2.*
2.8.0.rc1
2.8.0.rc2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
2.10.0
2.10.0.pr1
2.10.0.pr2
2.10.0.pr3
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0.rc1
2.11.0
2.11.1
2.11.2
2.11.3
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
Package
- Name
- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor