{"id":"CVE-2020-36518","details":"jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.","aliases":["GHSA-57j2-w4cx-62h2"],"modified":"2026-05-18T05:52:34.307015454Z","published":"2022-03-11T07:15:07.800Z","related":["ALSA-2023:2312","ALSA-2024:3061","CGA-w7w4-h48v-37h3","SUSE-SU-2022:1678-1","openSUSE-SU-2024:12096-1","openSUSE-SU-2024:12100-1","openSUSE-SU-2024:12101-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"},{"last_affected":"11.0"}],"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","source":"CPE_FIELD"},{"extracted_events":[{"fixed":"23.1"}],"cpes":["cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:big_data_spatial_and_graph","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"14.1.1.0.0"}],"cpes":["cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:coherence","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"11.3.0"},{"last_affected":"11.3.1"},{"last_affected":"11.3.2"}],"cpes":["cpe:2.3:a:oracle:commerce_platform:11.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:commerce_platform:11.3.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*"],"vendor_product":"oracle:commerce_platform","source":"CPE_FIELD"},{"extracted_events":[{"introduced":"12.0.0.4.0"},{"last_affected":"12.0.0.6.0"}],"cpes":["cpe:2.3:a:oracle:communications_billing_and_revenue_management:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_billing_and_revenue_management","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"22.1.3"}],"vendor_product":"oracle:communications_cloud_native_core_binding_support_function","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"1.9.0"}],"vendor_product":"oracle:communications_cloud_native_core_console","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"22.1.2"},{"last_affected":"22.2.0"}],"vendor_product":"oracle:communications_cloud_native_core_network_repository_function","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"22.1.0"},{"last_affected":"22.1.1"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_network_slice_selection_function","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"22.1.1"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_security_edge_protection_proxy","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"22.2.0"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_service_communication_proxy","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"22.2.0"}],"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_unified_data_repository","source":"CPE_FIELD"},{"extracted_events":[{"introduced":"8.0.7"},{"last_affected":"8.1.0.0"},{"last_affected":"8.1.1.0"},{"last_affected":"8.1.2.0"},{"last_affected":"8.1.2.1"}],"cpes":["cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:financial_services_analytical_applications_infrastructure","source":"CPE_FIELD"},{"extracted_events":[{"introduced":"8.1.1.0"},{"last_affected":"8.1.2.1"},{"last_affected":"8.0.7.0.0"},{"last_affected":"8.0.8"}],"cpes":["cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:*"],"vendor_product":"oracle:financial_services_behavior_detection_platform","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"8.0.8.2.0"},{"last_affected":"8.0.8.3.0"}],"cpes":["cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:financial_services_crime_and_compliance_management_studio","source":"CPE_FIELD"},{"extracted_events":[{"introduced":"8.1.1.0"},{"last_affected":"8.1.2.1"},{"last_affected":"8.0.7.1"},{"last_affected":"8.0.7.2"},{"last_affected":"8.0.8.0"},{"last_affected":"8.0.8.1"}],"cpes":["cpe:2.3:a:oracle:financial_services_enterprise_case_management:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:financial_services_enterprise_case_management","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"8.0.7"},{"last_affected":"8.0.8"}],"cpes":["cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*","cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*"],"vendor_product":"oracle:financial_services_trade-based_anti_money_laundering","source":"CPE_FIELD"},{"extracted_events":[{"fixed":"13.9.4.2.2"},{"last_affected":"13.9.4.2.2"}],"cpes":["cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*"],"vendor_product":"oracle:global_lifecycle_management_nextgen_oui_framework","source":"CPE_FIELD"},{"extracted_events":[{"fixed":"12.2.0.1.30"}],"cpes":["cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:global_lifecycle_management_opatch","source":"CPE_FIELD"},{"extracted_events":[{"fixed":"22.2.0"}],"cpes":["cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:graph_server_and_client","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"9.1.0.5.2"}],"vendor_product":"oracle:health_sciences_empirica_signal","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.58"},{"last_affected":"8.59"}],"vendor_product":"oracle:peoplesoft_enterprise_peopletools","source":"CPE_FIELD"},{"extracted_events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"},{"introduced":"18.8.0"},{"last_affected":"18.8.14"},{"introduced":"19.12.0"},{"last_affected":"19.12.13"},{"introduced":"20.12.0"},{"last_affected":"20.12.18"},{"introduced":"21.12.0"},{"last_affected":"21.12.1"}],"cpes":["cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:primavera_gateway","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"17.12.0.0"},{"last_affected":"17.12.20.4"},{"introduced":"18.8.0.0"},{"last_affected":"18.8.25.4"},{"introduced":"19.12.0"},{"last_affected":"19.12.19.0"},{"introduced":"20.12.0.0"},{"last_affected":"21.12.4.0"}],"vendor_product":"oracle:primavera_p6_enterprise_project_portfolio_management","source":"CPE_FIELD"},{"extracted_events":[{"introduced":"17.0"},{"last_affected":"17.12"},{"last_affected":"18.0"},{"last_affected":"19.12"},{"last_affected":"20.12"},{"last_affected":"21.12"}],"cpes":["cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_unifier:18.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*"],"vendor_product":"oracle:primavera_unifier","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"15.0.3.1"}],"cpes":["cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:retail_sales_audit","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"9.0"},{"last_affected":"9.1"}],"cpes":["cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:sd-wan_edge","source":"CPE_FIELD"},{"extracted_events":[{"fixed":"20.1.0"}],"cpes":["cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:spatial_studio","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"4.3.0.5.0"},{"last_affected":"4.3.0.6.0"},{"last_affected":"4.4.0.0.0"},{"last_affected":"4.4.0.2.0"},{"last_affected":"4.4.0.3.0"},{"last_affected":"4.4.0.5.0"}],"cpes":["cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:utilities_framework","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"},{"last_affected":"14.1.1.0.0"}],"vendor_product":"oracle:weblogic_server","source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220506-0004/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5283"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"REPORT","url":"https://github.com/FasterXML/jackson-databind/issues/2816"},{"type":"EVIDENCE","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fasterxml/jackson-databind","events":[{"introduced":"0"},{"fixed":"f758e50f0ecb7c24d91f66beda42d259a1e2c4a4"},{"introduced":"70c5dfbd52410d99d36181072711125ac5240a15"},{"fixed":"bdf6441dac25e2908b642100a588656da57b4077"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.12.6.1"},{"introduced":"2.13.0"},{"fixed":"2.13.2.1"}],"cpe":"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["jackson-databind-2.13.2","jackson-databind-2.13.1","jackson-databind-2.12.6","jackson-databind-2.13.0","jackson-databind-2.12.5","jackson-databind-2.12.4","jackson-databind-2.12.3","jackson-databind-2.12.2","jackson-databind-2.12.1","jackson-databind-2.12.0","jackson-databind-2.12.0-rc2","jackson-databind-2.12.0-rc1","jackson-databind-2.11.0","jackson-databind-2.11.0.rc1","jackson-databind-2.10.0","jackson-databind-2.10.0.pr3","jackson-databind-2.10.0.pr2","jackson-databind-2.10.0.pr1","jackson-databind-2.9.6","jackson-databind-2.9.5","jackson-databind-2.9.4","jackson-databind-2.9.3","jackson-databind-2.9.1","jackson-databind-2.9.0","jackson-databind-2.9.0.pr4","jackson-databind-2.9.0.pr3","jackson-databind-2.9.0.pr2","jackson-databind-2.9.0.pr1","jackson-databind-2.8.2","jackson-databind-2.8.1","jackson-databind-2.8.0","jackson-databind-2.7.1-1","jackson-databind-2.7.1","jackson-databind-2.7.0","jackson-databind-2.7.0-rc3","jackson-databind-2.7.0-rc2","jackson-databind-2.7.0-rc1","jackson-databind-2.6.1","jackson-databind-2.6.0","jackson-databind-2.6.0-rc4","2.6.0-rc3b","jackson-databind-2.6.0-rc1","jackson-databind-2.5.0","jackson-databind-2.5.0-rc1","jackson-databind-2.4.1.3","jackson-databind-2.4.1.2","jackson-databind-2.4.1.1","jackson-databind-2.4.1","jackson-databind-2.4.0","jackson-databind-2.4.0-rc3","jackson-databind-2.4.0-rc2","jackson-databind-2.4.0-rc1","jackson-databind-2.3.1","jackson-databind-2.3.0","jackson-databind-2.3.0-rc1","jackson-databind-2.2.2","jackson-databind-2.2.1","2.2.0c","jackson-databind-2.2.0","jackson-databind-2.1.1","jackson-databind-2.1.0","jackson-databind-2.0.2","jackson-databind-2.0.1","jackson-databind-2.0.0","jackson-databind-2.0.0-RC3","jackson-databind-2.0.0-RC2","jackson-databind-2.0.0-RC1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36518.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}