CVE-2020-36518 - Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00514.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::

Configuration 2 [-]

OR	cpe:2.3:a:oracle:big_data_spatial_and_graph::::::::
	cpe:2.3:a:oracle:coherence:14.1.1.0.0:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.0:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.1:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.2:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management::::::::
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform::::::::
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management::::::::
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:::::::*
	cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7::::enterprise:::
	cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8::::enterprise:::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework::::::::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::
	cpe:2.3:a:oracle:graph_server_and_client::::::::
	cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*
	cpe:2.3:a:oracle:spatial_studio::::::::
	cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*

Package	CPE	Advisory	Released Date
Logging subsystem for Red Hat OpenShift 5.4
openshift-logging/elasticsearch6-rhel8:v6.8.1-265	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
OpenShift Logging 5.3
openshift-logging/elasticsearch6-rhel8:v6.8.1-277	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
Red Hat AMQ 7.10.0
jackson-databind	cpe:/a:redhat:amq_broker:7	RHSA-2022:5101	2022-06-16T00:00:00Z
Red Hat AMQ Streams 2.2.0
jackson-databind	cpe:/a:redhat:amq_streams:2	RHSA-2022:6819	2022-10-05T00:00:00Z
Red Hat AMQ Streams 2.4.0
	cpe:/a:redhat:amq_streams:2	RHSA-2023:3223	2023-05-18T00:00:00Z
Red Hat build of Eclipse Vert.x 4.2.7
jackson-databind	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:5029	2022-06-23T00:00:00Z
Red Hat build of Quarkus 2.7.6
jackson-databind	cpe:/a:redhat:quarkus:2.7	RHSA-2022:5596	2022-07-19T00:00:00Z
Red Hat Data Grid 8.3.1
jackson-databind	cpe:/a:redhat:jboss_data_grid:8	RHSA-2022:2232	2022-05-12T00:00:00Z
Red Hat Enterprise Linux 8
pki-deps:10.6-8100020240205164017.e155f54d	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:3061	2024-05-22T00:00:00Z
Red Hat Enterprise Linux 9
jackson-databind-0:2.14.1-2.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:2312	2023-05-09T00:00:00Z
Red Hat Fuse 7.11
jackson-databind	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
jackson-databind	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:4922	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-jackson-annotations-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-core-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.10.4-5.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-3.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-5.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-2.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-16.Final_redhat_00017.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-5.Final_redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-undertow-0:2.0.41-4.SP5_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-wildfly-0:7.3.14-3.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.10.17-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:9583	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-jackson-databind-0:2.12.6.1-1.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2022:4919	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-jackson-databind-0:2.12.6.1-1.redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2022:4918	2022-06-06T00:00:00Z
Red Hat Single Sign-On 7
jackson-databind	cpe:/a:redhat:red_hat_single_sign_on:7	RHSA-2022:6787	2022-10-04T00:00:00Z
Red Hat Single Sign-On 7.5 for RHEL 7
rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.5::el7	RHSA-2022:6782	2022-10-04T00:00:00Z
Red Hat Single Sign-On 7.5 for RHEL 8
rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.5::el8	RHSA-2022:6783	2022-10-04T00:00:00Z
Red Hat Single Sign-On 7.6.1
jackson-databind	cpe:/a:redhat:red_hat_single_sign_on:7.6.1	RHSA-2022:7417	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2022:7409	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2022:7410	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-0:1-5.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
rh-sso7-javapackages-tools-0:6.0.0-7.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
RHAF Camel-K 1.8
jackson-databind	cpe:/a:redhat:integration:1	RHSA-2022:6407	2022-09-09T00:00:00Z
RHOL-5.5-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-273	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
RHOL-5.6-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-285	cpe:/a:redhat:logging:5.6::el8	RHSA-2023:0264	2023-01-19T00:00:00Z
RHPAM 7.13.1 async
jackson-databind	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2022:6813	2022-10-05T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Debian Subscribe	Debian Linux Subscribe
Fasterxml Subscribe	Jackson-databind Subscribe
Netapp Subscribe	Active Iq Unified Manager Subscribe Cloud Insights Acquisition Unit Subscribe Oncommand Insight Subscribe Oncommand Workflow Automation Subscribe Snap Creator Framework Subscribe
Oracle Subscribe	Big Data Spatial And Graph Subscribe Coherence Subscribe Commerce Platform Subscribe Communications Billing And Revenue Management Subscribe Communications Cloud Native Core Binding Support Function Subscribe Communications Cloud Native Core Console Subscribe Communications Cloud Native Core Network Repository Function Subscribe Communications Cloud Native Core Network Slice Selection Function Subscribe Communications Cloud Native Core Security Edge Protection Proxy Subscribe Communications Cloud Native Core Service Communication Proxy Subscribe Communications Cloud Native Core Unified Data Repository Subscribe Financial Services Analytical Applications Infrastructure Subscribe Financial Services Behavior Detection Platform Subscribe Financial Services Crime And Compliance Management Studio Subscribe Financial Services Enterprise Case Management Subscribe Financial Services Trade-based Anti Money Laundering Subscribe Global Lifecycle Management Nextgen Oui Framework Subscribe Global Lifecycle Management Opatch Subscribe Graph Server And Client Subscribe Health Sciences Empirica Signal Subscribe Peoplesoft Enterprise Peopletools Subscribe Primavera Gateway Subscribe Primavera P6 Enterprise Project Portfolio Management Subscribe Primavera Unifier Subscribe Retail Sales Audit Subscribe Sd-wan Edge Subscribe Spatial Studio Subscribe Utilities Framework Subscribe Weblogic Server Subscribe
Redhat Subscribe	Amq Broker Subscribe Amq Streams Subscribe Enterprise Linux Subscribe Integration Subscribe Jboss Data Grid Subscribe Jboss Enterprise Application Platform Subscribe Jboss Enterprise Application Platform Eus Subscribe Jboss Enterprise Bpms Platform Subscribe Jboss Fuse Subscribe Logging Subscribe Openshift Application Runtimes Subscribe Quarkus Subscribe Red Hat Single Sign On Subscribe

Advisories

Source	ID	Title
Debian DLA	DLA-2990-1	jackson-databind security update
Debian DLA	DLA-3207-1	jackson-databind security update
Debian DSA	DSA-5283-1	jackson-databind security update
EUVD	EUVD-2022-1319	jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Github GHSA	GHSA-57j2-w4cx-62h2	Deeply nested json in jackson-databind

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/FasterXML/jackson-databind/issues/2816
https://github.com/advisories/GHSA-57j2-w4cx-62h2
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://nvd.nist.gov/vuln/detail/CVE-2020-36518
https://security.netapp.com/advisory/ntap-20220506-0004/
https://www.cve.org/CVERecord?id=CVE-2020-36518
https://www.debian.org/security/2022/dsa-5283
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

History

Wed, 27 Aug 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Jun 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-11T00:00:00.000Z

Updated: 2025-08-27T20:34:32.190Z

Reserved: 2022-03-11T00:00:00.000Z

Link: CVE-2020-36518

Vulnrichment

Updated: 2024-08-04T17:30:08.127Z

NVD

Status : Modified

Published: 2022-03-11T07:15:07.800

Modified: 2025-08-27T21:15:36.420

Link: CVE-2020-36518

Redhat

Severity : Moderate

Publid Date: 2020-08-13T00:00:00Z

Links: CVE-2020-36518 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object