Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v6ek-y7cn-kycd
Vulnerability ID VCID-v6ek-y7cn-kycd
Aliases CVE-2020-36518
GHSA-57j2-w4cx-62h2
Summary Uncontrolled Resource Consumption jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-787 Out-of-bounds Write
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36518.json
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
epss 0.00514 https://api.first.org/data/v1/epss?cve=CVE-2020-36518
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-57j2-w4cx-62h2
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind
generic_textual HIGH https://github.com/FasterXML/jackson-databind
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de
generic_textual HIGH https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b
generic_textual HIGH https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd
generic_textual HIGH https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
generic_textual HIGH https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
generic_textual HIGH https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
cvssv3.1 7.5 https://github.com/FasterXML/jackson-databind/issues/2816
generic_textual HIGH https://github.com/FasterXML/jackson-databind/issues/2816
ssvc Track https://github.com/FasterXML/jackson-databind/issues/2816
cvssv3.1 7.5 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12
generic_textual HIGH https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12
cvssv3.1 7.5 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
generic_textual HIGH https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2020-36518
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-36518
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20220506-0004
generic_textual HIGH https://security.netapp.com/advisory/ntap-20220506-0004
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20220506-0004/
ssvc Track https://security.netapp.com/advisory/ntap-20220506-0004/
cvssv3.1 7.5 https://www.debian.org/security/2022/dsa-5283
generic_textual HIGH https://www.debian.org/security/2022/dsa-5283
ssvc Track https://www.debian.org/security/2022/dsa-5283
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpuapr2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuapr2022.html
ssvc Track https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Track https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36518.json
https://api.first.org/data/v1/epss?cve=CVE-2020-36518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/FasterXML/jackson-databind
https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de
https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b
https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd
https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
https://github.com/FasterXML/jackson-databind/issues/2816
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.netapp.com/advisory/ntap-20220506-0004
https://www.debian.org/security/2022/dsa-5283
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
1007109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007109
2064698 https://bugzilla.redhat.com/show_bug.cgi?id=2064698
CVE-2020-36518 https://nvd.nist.gov/vuln/detail/CVE-2020-36518
GHSA-57j2-w4cx-62h2 https://github.com/advisories/GHSA-57j2-w4cx-62h2
ntap-20220506-0004 https://security.netapp.com/advisory/ntap-20220506-0004/
RHSA-2022:2232 https://access.redhat.com/errata/RHSA-2022:2232
RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918
RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919
RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
RHSA-2022:5029 https://access.redhat.com/errata/RHSA-2022:5029
RHSA-2022:5101 https://access.redhat.com/errata/RHSA-2022:5101
RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
RHSA-2022:5596 https://access.redhat.com/errata/RHSA-2022:5596
RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782
RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783
RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787
RHSA-2022:6819 https://access.redhat.com/errata/RHSA-2022:6819
RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409
RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410
RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411
RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417
RHSA-2022:7435 https://access.redhat.com/errata/RHSA-2022:7435
RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
RHSA-2022:8889 https://access.redhat.com/errata/RHSA-2022:8889
RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
RHSA-2023:2312 https://access.redhat.com/errata/RHSA-2023:2312
RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
RHSA-2024:3061 https://access.redhat.com/errata/RHSA-2024:3061
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36518.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson-databind/issues/2816
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://github.com/FasterXML/jackson-databind/issues/2816
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-36518
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20220506-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20220506-0004/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://security.netapp.com/advisory/ntap-20220506-0004/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.debian.org/security/2022/dsa-5283
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://www.debian.org/security/2022/dsa-5283
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-27T20:34:26Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.66505
EPSS Score 0.00514
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:40.509614+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.fasterxml.jackson.core/jackson-databind/CVE-2020-36518.yml 38.0.0