Package jackson-databind updated to version 2.20.1-alt1 for branch sisyphus_riscv64.

Published: 2023-09-14
Modified: 2025-03-05

BDU:2023-05617

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2022-42004

Published: 2023-09-14
Modified: 2025-03-05

BDU:2023-05618

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2022-42003

Published: 2024-01-06
Modified: 2024-09-13

BDU:2024-00088

Уязвимость библиотеки jackson-databind, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2021-46877

Published: 2024-01-10
Modified: 2025-03-05

BDU:2024-00114

Уязвимость библиотеки Jackson-databind, связанная с записью за границами буфера, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2020-36518

Published: 2024-02-07

BDU:2024-01074

Уязвимость библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (4.7) Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: LOW (3.8) Vector: AV:L/AC:H/Au:S/C:N/I:N/A:C

References:

Published: 2022-03-11
Modified: 2025-08-27

CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2023-03-18
Modified: 2025-02-26

CVE-2021-46877

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2022-10-02
Modified: 2024-11-21

CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2022-10-02
Modified: 2024-11-21

CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2023-06-14
Modified: 2024-11-21

CVE-2023-35116

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

Severity: MEDIUM (4.7) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Version: 2.1.2

Package jackson-databind update in sisyphus_riscv64 on 2025-11-09

ALT-PU-2025-14249-1

Closed vulnerabilities

BDU:2023-05617

BDU:2023-05618

BDU:2024-00088

BDU:2024-00114

BDU:2024-01074

CVE-2020-36518

CVE-2021-46877

CVE-2022-42003

CVE-2022-42004

CVE-2023-35116