CVE-2021-46877

jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode in maven/com.fasterxml.jackson.core/jackson-databind

Identifiers

CVE-2021-46877, GHSA-3x8x-79m2-3w2w

Package Slug

maven/com.fasterxml.jackson.core/jackson-databind

Vulnerability

jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode

Description

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Affected Versions

All versions starting from 2.10.0 before 2.12.6, version 2.13.0

Solution

Upgrade to versions 2.12.6, 2.13.1 or above.

Last Modified

2023-03-22

source