CVE-2020-36518 - Denial of Service (DoS)

Severity: High2022-10-13

Abstract

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The deserialize() method in the UntypedObjectDeserializer and UntypedObjectDeserializer$Vanilla classes fails to restrict recursion when deserializing nested untyped or generic objects. A remote attacker who can supply data to be deserialized by an affected application can exploit this vulnerability to cause the JVM to consume all available memory, resulting in a StackOverflow exception and ultimately a DoS condition.

The Oxygen products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Product	Severity	Fixed Release Availability
Oxygen XML Author v24.1 and older	High	Oxygen XML Author 24.1 build 2022041507
Oxygen XML Developer v24.1 and older	High	Oxygen XML Developer 24.1 build 2022041507
Oxygen XML Editor v24.1 and older	High	Oxygen XML Editor 24.1 build 2022041507
Oxygen XML Web Author v24.1 and older	High	Oxygen XML Web Author 24.1 build 2022070522
Oxygen Content Fusion v4.1 and older	High	Oxygen Content Fusion 4.1 build 2022040914
Oxygen Publishing Engine v24.1 and older	High	Oxygen Publishing Engine 24.1 build 2022041502
Oxygen PDF Chemistry v24.1 and older	High	Oxygen PDF Chemistry 24.1 build 2022041502
Oxygen Feedback v2.0 and older	High	Oxygen Feedback 2.1 build 2022041216
Oxygen License Server v24.1 and older	High	Oxygen License Server 25.0 build 2022100311