Fluid Attacks Database

Description

jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	jackson-databind	>=0 <2.13.2.2-1	2.13.2.2-1
debian 11	jackson-databind	=2.12.1-1 \|\| =2.12.1-1+deb11u1 \|\| =2.12.5-1 \|\| =2.13.0-1 \|\| =2.13.0-2 \|\| =2.13.2.2-1 \|\| =2.14.0+ds-1 \|\| =2.14.0-1	-
debian 12	jackson-databind	>=0 <2.13.2.2-1	2.13.2.2-1
debian 13	jackson-databind	>=0 <2.13.2.2-1	2.13.2.2-1
maven	com.fasterxml.jackson.core:jackson-databind	>=2.10.0 <2.12.6 \|\| >=2.13.0 <2.13.1	2.12.6, 2.13.1
rpm rhel8	jackson-databind	-	-

Aliases

1. CVE-2021-468772. NVD-2021-468773. OSV-DEBIAN-2021-468774. OSV-2021-468775. GCVE-2021-468776. SECURITY-TRACKER-CVE-2021-46877

References

1. https://github.com/FasterXML/jackson-databind/issues/33282. https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb3. https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.64. https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.15. https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw