PT-2021-7974 · Fasterxml+2 · Jackson Dataformat Cbor+2
Cowtowncoder
·
Published
2021-02-18
·
Updated
2022-12-06
·
CVE-2020-28491
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 0 through 2.11.4
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 2.12.0-rc1 through 2.12.1
Description
The issue is related to the allocation of unlimited memory in the com.fasterxml.jackson.dataformat:jackson-dataformat-cbor package of the jackson-dataformats-binary library. This can be exploited by a remote attacker to cause a denial of service. The unchecked allocation of a byte buffer can cause a java.lang.OutOfMemoryError exception.
Recommendations
For com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 0 through 2.11.4, update to version 2.11.4 or later.
For com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 2.12.0-rc1 through 2.12.1, update to version 2.12.1 or later.
As a temporary workaround, consider restricting the allocation of byte buffers to prevent the java.lang.OutOfMemoryError exception.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Suse
Jackson Dataformat Cbor