CVE-2020-28491

HIGH

jackson-dataformats-binary < 2.11.4 - Denial of Service via Unchecked Byte Buffer Allocation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-28491. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository appears to be a fork or clone of the Jackson dataformats binary project, specifically targeting the Avro module. It lacks any exploit code or proof-of-concept for CVE-2020-28491, instead containing only the source code of the vulnerable library itself.

Description

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-28491-jackson-dataformats-binary-vulnerable

This repository appears to be a fork or clone of the Jackson dataformats binary project, specifically targeting the Avro module. It lacks any exploit code or proof-of-concept for CVE-2020-28491, instead containing only the source code of the vulnerable library itself.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: FasterXML Jackson dataformats-binary (Avro module) versions before 2.12.0
No auth needed
Prerequisites: Vulnerable version of Jackson dataformats-binary with Avro support · Ability to send crafted Avro data to an application using the library
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-28491-jackson-dataformats-binary-vulnerable

This repository appears to be a fork or clone of the Jackson dataformats binary project, specifically targeting the Avro module. It lacks any exploit code or technical analysis related to CVE-2020-28491, instead containing only the source code of the vulnerable library itself.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Jackson dataformats binary (Avro module) versions before 2.12.0
No auth needed
Prerequisites: Target application using vulnerable Jackson dataformats binary library · Ability to send crafted Avro data to the application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/FasterXML/jackson-dataformats-binary/issues/186
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5
EPSS 0.0307
EPSS Percentile 85.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-770
Status published
Products (7)
com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.8.0rc1 - 2.11.4Maven
fasterxml/jackson-dataformats-binary 2.12.0 (3 CPE variants)
fasterxml/jackson-dataformats-binary < 2.11.4
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
quarkus/quarkus < 2.0.2
Published Feb 18, 2021
Tracked Since Feb 18, 2026