CVE-2020-36518
Denial of Service vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-36518 About?
jackson-databind is vulnerable to a Java stack overflow and denial of service due to processing deeply nested objects. This can cause the application to crash or become unresponsive. Exploitation is simple by providing overly complex data.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- <2.12.6.1
- >2.13.0, <2.13.2.1
Technical Details
The vulnerability in jackson-databind is a denial of service (DoS) caused by allowing an excessive depth of nested objects during deserialization. When the library attempts to process a JSON or other data structure with many levels of nested objects (e.g., recursive data structures), it can lead to a stack overflow exception in the Java Virtual Machine. This exception is unrecoverable and will crash the application, resulting in a denial of service. The issue stems from the deserializer not having adequate limits or protections against deep recursion.
What is the Impact of CVE-2020-36518?
Successful exploitation may allow attackers to cause a denial of service by triggering a stack overflow in the application, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2020-36518?
Exploitation is straightforward and involves submitting a deeply nested data structure (e.g., JSON) to an endpoint that uses jackson-databind for deserialization. The complexity is low. No specific authentication or high privileges are required, as the attack simply involves sending malformed but validly structured data. This is typically a remote attack vector. The main constraint is that the application must be written in Java and utilize a vulnerable version of jackson-databind. Risk factors include any application that accepts arbitrary JSON or data containing nested objects from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| ghillert | Link | Reproduction of CVE-2020-36518 in Spring Boot 2.5.10 |
What are the Available Fixes for CVE-2020-36518?
About the Fix from Resolved Security
This patch replaces the recursive implementation of untyped object deserialization with an iterative/descent-based approach via a new UntypedObjectDeserializerNR class, which removes deep, unbounded recursion from the call stack. This change fixes vulnerability CVE-2020-36518 because it prevents stack overflow and denial-of-service risks when parsing JSON inputs with extremely deep nesting, making parsing depth limited by heap rather than stack space.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.12.6.1 → Upgrade to 2.12.6.1
- com.fasterxml.jackson.core:jackson-databind
- >2.13.0, <2.13.2.1 → Upgrade to 2.13.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://osv.dev/vulnerability/GHSA-57j2-w4cx-62h2
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
- https://github.com/FasterXML/jackson-databind/issues/2816
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
What are Similar Vulnerabilities to CVE-2020-36518?
Similar Vulnerabilities: CVE-2019-14540 , CVE-2018-7489 , CVE-2019-16321 , CVE-2014-4611 , CVE-2019-14439
