CVE-2020-28491

HIGH

Fasterxml Jackson-dataformats-binary - Resource Allocation Without ...

Title source: rule

Description

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2020-28491-jackson-dataformats-binary-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-28491-jackson-dataformats-binary-vulnerable

View Code ZIP pw:eip

References (4)

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6

[Issue Tracking, Patch, Third Party Advisory] https://github.com/FasterXML/jackson-dataformats-binary/issues/186

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5

EPSS 0.0038

EPSS Percentile 59.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (7)

com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.8.0rc1 - 2.11.4Maven

fasterxml/jackson-dataformats-binary 2.12.0 (3 CPE variants)

fasterxml/jackson-dataformats-binary < 2.11.4

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

quarkus/quarkus < 2.0.2

Published Feb 18, 2021

Tracked Since Feb 18, 2026