CVE-2020-36518 - Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00503.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Fasterxml	Jackson-databind
Netapp	Active Iq Unified Manager Cloud Insights Acquisition Unit Oncommand Insight Oncommand Workflow Automation Snap Creator Framework
Oracle	Big Data Spatial And Graph Coherence Commerce Platform Communications Billing And Revenue Management Communications Cloud Native Core Binding Support Function Communications Cloud Native Core Console Communications Cloud Native Core Network Repository Function Communications Cloud Native Core Network Slice Selection Function Communications Cloud Native Core Security Edge Protection Proxy Communications Cloud Native Core Service Communication Proxy Communications Cloud Native Core Unified Data Repository Financial Services Analytical Applications Infrastructure Financial Services Behavior Detection Platform Financial Services Crime And Compliance Management Studio Financial Services Enterprise Case Management Financial Services Trade-based Anti Money Laundering Global Lifecycle Management Nextgen Oui Framework Global Lifecycle Management Opatch Graph Server And Client Health Sciences Empirica Signal Peoplesoft Enterprise Peopletools Primavera Gateway Primavera P6 Enterprise Project Portfolio Management Primavera Unifier Retail Sales Audit Sd-wan Edge Spatial Studio Utilities Framework Weblogic Server
Redhat	Amq Broker Amq Streams Enterprise Linux Integration Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Enterprise Bpms Platform Jboss Fuse Logging Openshift Application Runtimes Quarkus Red Hat Single Sign On

Configuration 1 [-]

OR	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::

Configuration 2 [-]

OR	cpe:2.3:a:oracle:big_data_spatial_and_graph::::::::
	cpe:2.3:a:oracle:coherence:14.1.1.0.0:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.0:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.1:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.2:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management::::::::
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform::::::::
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management::::::::
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:::::::*
	cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7::::enterprise:::
	cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8::::enterprise:::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework::::::::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::
	cpe:2.3:a:oracle:graph_server_and_client::::::::
	cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*
	cpe:2.3:a:oracle:spatial_studio::::::::
	cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*

Package	CPE	Advisory	Released Date
Logging subsystem for Red Hat OpenShift 5.4
openshift-logging/elasticsearch6-rhel8:v6.8.1-265	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
OpenShift Logging 5.3
openshift-logging/elasticsearch6-rhel8:v6.8.1-277	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
Red Hat AMQ 7.10.0
jackson-databind	cpe:/a:redhat:amq_broker:7	RHSA-2022:5101	2022-06-16T00:00:00Z
Red Hat AMQ Streams 2.2.0
jackson-databind	cpe:/a:redhat:amq_streams:2	RHSA-2022:6819	2022-10-05T00:00:00Z
Red Hat AMQ Streams 2.4.0
	cpe:/a:redhat:amq_streams:2	RHSA-2023:3223	2023-05-18T00:00:00Z
Red Hat build of Eclipse Vert.x 4.2.7
jackson-databind	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:5029	2022-06-23T00:00:00Z
Red Hat build of Quarkus 2.7.6
jackson-databind	cpe:/a:redhat:quarkus:2.7	RHSA-2022:5596	2022-07-19T00:00:00Z
Red Hat Data Grid 8.3.1
jackson-databind	cpe:/a:redhat:jboss_data_grid:8	RHSA-2022:2232	2022-05-12T00:00:00Z
Red Hat Enterprise Linux 8
pki-deps:10.6-8100020240205164017.e155f54d	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:3061	2024-05-22T00:00:00Z
Red Hat Enterprise Linux 9
jackson-databind-0:2.14.1-2.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:2312	2023-05-09T00:00:00Z
Red Hat Fuse 7.11
jackson-databind	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
jackson-databind	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:4922	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-jackson-annotations-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-core-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.10.4-5.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-5.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-2.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-16.Final_redhat_00017.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-5.Final_redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-undertow-0:2.0.41-4.SP5_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-wildfly-0:7.3.14-3.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.10.17-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-jackson-databind-0:2.12.6.1-1.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2022:4919	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-jackson-databind-0:2.12.6.1-1.redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2022:4918	2022-06-06T00:00:00Z
Red Hat Single Sign-On 7
jackson-databind	cpe:/a:redhat:red_hat_single_sign_on:7	RHSA-2022:6787	2022-10-04T00:00:00Z
Red Hat Single Sign-On 7.5 for RHEL 7
rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.5::el7	RHSA-2022:6782	2022-10-04T00:00:00Z
Red Hat Single Sign-On 7.5 for RHEL 8
rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.5::el8	RHSA-2022:6783	2022-10-04T00:00:00Z
Red Hat Single Sign-On 7.6.1
jackson-databind	cpe:/a:redhat:red_hat_single_sign_on:7.6.1	RHSA-2022:7417	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2022:7409	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2022:7410	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-0:1-5.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
rh-sso7-javapackages-tools-0:6.0.0-7.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
RHAF Camel-K 1.8
jackson-databind	cpe:/a:redhat:integration:1	RHSA-2022:6407	2022-09-09T00:00:00Z
RHOL-5.5-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-273	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
RHOL-5.6-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-285	cpe:/a:redhat:logging:5.6::el8	RHSA-2023:0264	2023-01-19T00:00:00Z
RHPAM 7.13.1 async
jackson-databind	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2022:6813	2022-10-05T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/FasterXML/jackson-databind/issues/2816
https://github.com/advisories/GHSA-57j2-w4cx-62h2
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://nvd.nist.gov/vuln/detail/CVE-2020-36518
https://security.netapp.com/advisory/ntap-20220506-0004/
https://www.cve.org/CVERecord?id=CVE-2020-36518
https://www.debian.org/security/2022/dsa-5283
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

History

Wed, 27 Aug 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Jun 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-11T00:00:00.000Z

Updated: 2025-08-27T20:34:32.190Z

Reserved: 2022-03-11T00:00:00.000Z

Link: CVE-2020-36518

Vulnrichment

Updated: 2024-08-04T17:30:08.127Z

NVD

Status : Modified

Published: 2022-03-11T07:15:07.800

Modified: 2025-08-27T21:15:36.420

Link: CVE-2020-36518

Redhat

Severity : Moderate

Publid Date: 2020-08-13T00:00:00Z

Links: CVE-2020-36518 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object