CVE-2020-28491 - OpenCVE

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Fasterxml	Jackson-dataformats-binary
Oracle	Weblogic Server
Quarkus	Quarkus

Configuration 1 [-]

OR	cpe:2.3:a:fasterxml:jackson-dataformats-binary::::::::
	cpe:2.3:a:fasterxml:jackson-dataformats-binary::::::::
	cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:-::::::
	cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc1::::::
	cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc2::::::

Configuration 2 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

References

Link	Resource
https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6	Patch Third Party Advisory
https://github.com/FasterXML/jackson-dataformats-binary/issues/186	Issue Tracking Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2021-02-18T00:00:00

Updated: 2022-07-25T16:17:12

Reserved: 2020-11-12T00:00:00

Link: CVE-2020-28491

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-18T16:15:13.207

Modified: 2022-12-06T21:44:42.577

Link: CVE-2020-28491

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"containers": {"cna": {"affected": [{"product": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "2.11.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.12.0-rc1", "versionType": "custom"}, {"lessThan": "2.12.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "cowtowncoder"}], "datePublic": "2021-02-18T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Denial of Service (DoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:17:12", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "title": "Denial of Service (DoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-02-18T15:46:36.779241Z", "ID": "CVE-2020-28491", "STATE": "PUBLIC", "TITLE": "Denial of Service (DoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}, {"version_affected": "<", "version_value": "2.11.4"}, {"version_affected": ">=", "version_value": "2.12.0-rc1"}, {"version_affected": "<", "version_value": "2.12.1"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "cowtowncoder"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (DoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"name": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", "refsource": "MISC", "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"name": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", "refsource": "MISC", "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-28491", "datePublished": "2021-02-18T00:00:00", "dateReserved": "2020-11-12T00:00:00", "dateUpdated": "2022-07-25T16:17:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:*:*:*:*:*:*:*:*", "matchCriteriaId": "6621426E-1001-48B0-BEFD-F032AFC27526", "versionEndExcluding": "2.11.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC85B4D7-6952-41AA-822C-7045F6352300", "versionEndExcluding": "2.12.1", "versionStartExcluding": "2.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:-:*:*:*:*:*:*", "matchCriteriaId": "7FBFAC5C-3C12-4F2B-AFA2-38A5D0867F6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "AE827068-6625-4634-9385-3672AB9096F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "2AD45DB3-F35D-486A-B43B-8B71F4CFE221", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "237329EB-B10C-47DC-8D7B-2B98D21E6CE8", "versionEndExcluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."}, {"lang": "es", "value": "Esto afecta al paquete com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versiones desde 0 y anteriores a 2.11.4, versiones desde 2.12.0-rc1 y anteriores a 2.12.1. Una asignaci\u00f3n no comprobada de b\u00fafer de bytes puede causar una excepci\u00f3n de java.lang.OutOfMemoryError"}], "id": "CVE-2020-28491", "lastModified": "2022-12-06T21:44:42.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-02-18T16:15:13.207", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}