High severity7.5NVD Advisory· Published Mar 11, 2022· Updated Jun 17, 2026
CVE-2020-36518
CVE-2020-36518
Description
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.13.0, < 2.13.2.1 | 2.13.2.1 |
com.fasterxml.jackson.core:jackson-databindMaven | < 2.12.6.1 | 2.12.6.1 |
Affected products
109- jackson-databind/jackson-databinddescription
- osv-coords108 versionspkg:apk/chainguard/cassandra-reaperpkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.0-compatpkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/management-api-for-apache-cassandra-5.0-compatpkg:apk/chainguard/request-1277pkg:apk/wolfi/cassandra-reaperpkg:apk/wolfi/management-api-for-apache-cassandra-4.1pkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/management-api-for-apache-cassandra-5.0-compatpkg:maven/com.fasterxml.jackson.core/jackson-databindpkg:rpm/almalinux/apache-commons-collectionspkg:rpm/almalinux/apache-commons-langpkg:rpm/almalinux/apache-commons-netpkg:rpm/almalinux/bea-stax-apipkg:rpm/almalinux/fasterxml-oss-parentpkg:rpm/almalinux/glassfish-fastinfosetpkg:rpm/almalinux/glassfish-jaxb-apipkg:rpm/almalinux/glassfish-jaxb-corepkg:rpm/almalinux/glassfish-jaxb-runtimepkg:rpm/almalinux/glassfish-jaxb-txw2pkg:rpm/almalinux/jackson-annotationspkg:rpm/almalinux/jackson-bompkg:rpm/almalinux/jackson-corepkg:rpm/almalinux/jackson-databindpkg:rpm/almalinux/jackson-jaxrs-json-providerpkg:rpm/almalinux/jackson-jaxrs-providerspkg:rpm/almalinux/jackson-module-jaxb-annotationspkg:rpm/almalinux/jackson-modules-basepkg:rpm/almalinux/jackson-parentpkg:rpm/almalinux/jakarta-commons-httpclientpkg:rpm/almalinux/javassistpkg:rpm/almalinux/javassist-javadocpkg:rpm/almalinux/pki-jackson-databindpkg:rpm/almalinux/pki-servlet-enginepkg:rpm/almalinux/relaxngDatatypepkg:rpm/almalinux/slf4jpkg:rpm/almalinux/slf4j-jdk14pkg:rpm/almalinux/stax-expkg:rpm/almalinux/velocitypkg:rpm/almalinux/xalan-j2pkg:rpm/almalinux/xerces-j2pkg:rpm/almalinux/xml-commons-apispkg:rpm/almalinux/xml-commons-resolverpkg:rpm/almalinux/xmlstreambufferpkg:rpm/almalinux/xsompkg:rpm/opensuse/jackson-annotations&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-annotations&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jackson-bom&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-bom&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jackson-core&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-core&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jackson-databind&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-databind&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jackson-dataformats-binary&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-dataformats-binary&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/jackson-annotations&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/jackson-annotations&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/jackson-annotations&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/jackson-annotations&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/jackson-annotations&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/jackson-core&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/jackson-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/jackson-core&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/jackson-core&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/jackson-core&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/jackson-dataformats-binary&distro=SUSE%20Manager%20Server%204.1
< 4.0.1-r1+ 107 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.109-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 0.1.109-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: >= 2.13.0, < 2.13.2.1
- (no CPE)range: < 3.2.2-10.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.6-21.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.6-3.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2.0-16.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 49-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 1.2.13-9.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.12-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-12.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.2.11-12.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.2.11-12.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-2.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14.2-2.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.14-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 1:3.1-28.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.14.1-2.el9
- (no CPE)range: < 1:9.0.62-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2011.1-7.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.7-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7-24.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.1-38.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.11.0-34.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.4.01-25.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2-26.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.5.4-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 0-19.20110809svn.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.3.1
- (no CPE)range: < 2.13.0-150200.3.3.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.6.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.9.1
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
- (no CPE)range: < 2.13.0-150200.3.3.3
Patches
Vulnerability mechanics
References
15- lists.debian.org/debian-lts-announce/2022/05/msg00001.htmlnvdExploitMailing ListThird Party AdvisoryWEB
- github.com/FasterXML/jackson-databind/issues/2816nvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-57j2-w4cx-62h2ghsaADVISORY
- lists.debian.org/debian-lts-announce/2022/11/msg00035.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2020-36518ghsaADVISORY
- security.netapp.com/advisory/ntap-20220506-0004/nvdThird Party Advisory
- www.debian.org/security/2022/dsa-5283nvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2022.htmlnvdThird Party AdvisoryWEB
- github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0deghsaWEB
- github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2bghsaWEB
- github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fdghsaWEB
- github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126ghsaWEB
- github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892bghsaWEB
- security.netapp.com/advisory/ntap-20220506-0004ghsaWEB
News mentions
0No linked articles in our index yet.