CVE-2020-36518 - Denial of Service (DoS)
Severity: High2022-10-13
Abstract
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The deserialize() method in the UntypedObjectDeserializer and UntypedObjectDeserializer$Vanilla classes fails to restrict recursion when deserializing nested untyped or generic objects. A remote attacker who can supply data to be deserialized by an affected application can exploit this vulnerability to cause the JVM to consume all available memory, resulting in a StackOverflow exception and ultimately a DoS condition.
The Oxygen products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v24.1 and older | High | Oxygen XML Author 24.1 build 2022041507 |
Oxygen XML Developer v24.1 and older | High | Oxygen XML Developer 24.1 build 2022041507 |
Oxygen XML Editor v24.1 and older | High | Oxygen XML Editor 24.1 build 2022041507 |
Oxygen XML Web Author v24.1 and older | High | Oxygen XML Web Author 24.1 build 2022070522 |
Oxygen Content Fusion v4.1 and older | High | Oxygen Content Fusion 4.1 build 2022040914 |
Oxygen Publishing Engine v24.1 and older | High | Oxygen Publishing Engine 24.1 build 2022041502 |
Oxygen PDF Chemistry v24.1 and older | High | Oxygen PDF Chemistry 24.1 build 2022041502 |
Oxygen Feedback v2.0 and older | High | Oxygen Feedback 2.1 build 2022041216 |
Oxygen License Server v24.1 and older | High | Oxygen License Server 25.0 build 2022100311 |
Detail
CVE-2020-36518
Severity: High
CVSS Score: 7.5
The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-36518 vulnerability description.
Starting with Oxygen Web Author v24.1.1 jackson-databind library was updated to a non-vulnerable version.
Starting with Oxygen Content Fusion v4.1 build 2022040914 jackson-databind library was updated to a non-vulnerable version.