CVE-2021-46877
Aliases:GHSA-3x8x-79m2-3w2w
Advisory lineage Upstream: 0 Downstream: 11
Modified
Published: 18 Mar 2023, 00:00
Last modified:26 Feb 2025, 19:02
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.25% LOW
0% probability -0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
18 Mar 2023, 00:00
Published
Vulnerability first disclosed
26 Feb 2025, 19:02
Last Modified
Vulnerability information updated
Description
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.25%• Percentile: 49%
Techniques & Countermeasures
- CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Affected Systems
- fasterxml•jackson-databind
≥ 2.10.0, < 2.12.6 | 2.13.0 | 2.13.0:rc1 | 2.13.0:rc2
- com.fasterxml.jackson.core•jackson-databind
≥ 2.10.0, < 2.12.6 | ≥ 2.13.0, < 2.13.1
References (7)
- https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
- https://github.com/FasterXML/jackson-databind/issues/3328
- https://nvd.nist.gov/vuln/detail/CVE-2021-46877
- https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb
- https://github.com/FasterXML/jackson-databind
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1