Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-e6xc-qk88-nqcr
Vulnerability ID VCID-e6xc-qk88-nqcr
Aliases CVE-2020-28491
GHSA-xmc8-26q4-qjhx
Summary Allocation of Resources Without Limits or Throttling This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-400 Uncontrolled Resource Consumption
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28491.json
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00384 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
epss 0.00431 https://api.first.org/data/v1/epss?cve=CVE-2020-28491
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xmc8-26q4-qjhx
cvssv3.1 7.5 https://github.com/FasterXML/jackson-dataformats-binary
generic_textual HIGH https://github.com/FasterXML/jackson-dataformats-binary
cvssv3.1 7.5 https://github.com/FasterXML/jackson-dataformats-binary/commit/3d7de83423f8f68f8e9a0c8250084e11818544c7
generic_textual HIGH https://github.com/FasterXML/jackson-dataformats-binary/commit/3d7de83423f8f68f8e9a0c8250084e11818544c7
cvssv3.1 7.5 https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
generic_textual HIGH https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
cvssv3.1 7.5 https://github.com/FasterXML/jackson-dataformats-binary/issues/186
generic_textual HIGH https://github.com/FasterXML/jackson-dataformats-binary/issues/186
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2020-28491
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-28491
cvssv3.1 7.5 https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
generic_textual HIGH https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28491.json
https://api.first.org/data/v1/epss?cve=CVE-2020-28491
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/FasterXML/jackson-dataformats-binary
https://github.com/FasterXML/jackson-dataformats-binary/commit/3d7de83423f8f68f8e9a0c8250084e11818544c7
https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
https://github.com/FasterXML/jackson-dataformats-binary/issues/186
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
https://www.oracle.com/security-alerts/cpujul2022.html
1930423 https://bugzilla.redhat.com/show_bug.cgi?id=1930423
983664 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983664
CVE-2020-28491 https://nvd.nist.gov/vuln/detail/CVE-2020-28491
GHSA-xmc8-26q4-qjhx https://github.com/advisories/GHSA-xmc8-26q4-qjhx
RHSA-2021:3125 https://access.redhat.com/errata/RHSA-2021:3125
RHSA-2021:3527 https://access.redhat.com/errata/RHSA-2021:3527
RHSA-2021:3528 https://access.redhat.com/errata/RHSA-2021:3528
RHSA-2021:3529 https://access.redhat.com/errata/RHSA-2021:3529
RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534
RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880
RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296
RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297
RHSA-2022:0721 https://access.redhat.com/errata/RHSA-2022:0721
RHSA-2022:0727 https://access.redhat.com/errata/RHSA-2022:0727
RHSA-2022:0728 https://access.redhat.com/errata/RHSA-2022:0728
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28491.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-dataformats-binary
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-dataformats-binary/commit/3d7de83423f8f68f8e9a0c8250084e11818544c7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-dataformats-binary/issues/186
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-28491
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.59579
EPSS Score 0.00384
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:08.846426+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor/CVE-2020-28491.yml 38.0.0