CVE-2020-36518

Aliases:GHSA-57j2-w4cx-62h2

Advisory lineage Upstream: 0 Downstream: 18

Downstream

DEBIAN-CVE-2020-36518 DLA-2990-1 DLA-3207-1 DSA-5283-1 MGASA-2024-0069 RHSA-2022:4918

Modified

Published: 11 Mar 2022, 00:00

Last modified:27 Aug 2025, 20:34

Vulnerability Summary

Overall Risk (default)

medium

40/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.49% LOW

0% probability -0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

11 Mar 2022, 00:00

Published

Vulnerability first disclosed

27 Aug 2025, 20:34

Last Modified

Vulnerability information updated

Description

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.49%• Percentile: 66%

Techniques & Countermeasures

CWE-787•Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

debian•debian_linux
9.0 | 10.0 | 11.0
fasterxml•jackson-databind
< 2.12.6.1 | ≥ 2.13.0, < 2.13.2.1
com.fasterxml.jackson.core•jackson-databind
≥ 2.13.0, < 2.13.2.1 | < 2.12.6.1
netapp•active_iq_unified_manager
na
netapp•cloud_insights_acquisition_unit
na
netapp•oncommand_insight
na
netapp•oncommand_workflow_automation
na
netapp•snap_creator_framework
na
oracle•big_data_spatial_and_graph
< 23.1
oracle•coherence
14.1.1.0.0
oracle•commerce_platform
11.3.0 | 11.3.1 | 11.3.2
oracle•communications_billing_and_revenue_management
≥ 12.0.0.4.0, ≤ 12.0.0.6.0
oracle•communications_cloud_native_core_binding_support_function
22.1.3
oracle•communications_cloud_native_core_console
1.9.0
oracle•communications_cloud_native_core_network_repository_function
22.1.2 | 22.2.0
oracle•communications_cloud_native_core_network_slice_selection_function
22.1.0 | 22.1.1
oracle•communications_cloud_native_core_security_edge_protection_proxy
22.1.1
oracle•communications_cloud_native_core_service_communication_proxy
22.2.0
oracle•communications_cloud_native_core_unified_data_repository
22.2.0
oracle•financial_services_analytical_applications_infrastructure
≥ 8.0.7, ≤ 8.1.0.0 | 8.1.1.0 | 8.1.2.0 | 8.1.2.1
oracle•financial_services_behavior_detection_platform
≥ 8.1.1.0, ≤ 8.1.2.1 | 8.0.7.0.0 | 8.0.8
oracle•financial_services_crime_and_compliance_management_studio
8.0.8.2.0 | 8.0.8.3.0
oracle•financial_services_enterprise_case_management
≥ 8.1.1.0, ≤ 8.1.2.1 | 8.0.7.1 | 8.0.7.2 | 8.0.8.0 | 8.0.8.1
oracle•financial_services_trade-based_anti_money_laundering
8.0.7 | 8.0.8
oracle•global_lifecycle_management_nextgen_oui_framework
< 13.9.4.2.2 | 13.9.4.2.2
oracle•global_lifecycle_management_opatch
< 12.2.0.1.30
oracle•graph_server_and_client
< 22.2.0
oracle•health_sciences_empirica_signal
9.1.0.5.2
oracle•peoplesoft_enterprise_peopletools
8.58 | 8.59
oracle•primavera_gateway
≥ 17.12.0, ≤ 17.12.11 | ≥ 18.8.0, ≤ 18.8.14 | ≥ 19.12.0, ≤ 19.12.13 | ≥ 20.12.0, ≤ 20.12.18 | ≥ 21.12.0, ≤ 21.12.1
oracle•primavera_p6_enterprise_project_portfolio_management
≥ 17.12.0.0, ≤ 17.12.20.4 | ≥ 18.8.0.0, ≤ 18.8.25.4 | ≥ 19.12.0, ≤ 19.12.19.0 | ≥ 20.12.0.0, ≤ 21.12.4.0
oracle•primavera_unifier
≥ 17.0, ≤ 17.12 | 18.0 | 19.12 | 20.12 | 21.12
oracle•retail_sales_audit
15.0.3.1
oracle•sd-wan_edge
9.0 | 9.1
oracle•spatial_studio
< 20.1.0
oracle•utilities_framework
4.3.0.5.0 | 4.3.0.6.0 | 4.4.0.0.0 | 4.4.0.2.0 | 4.4.0.3.0 | 4.4.0.5.0
Unknown•WebLogic Server
12.2.1.3.0 | 12.2.1.4.0 | 14.1.1.0.0