Lucene search

K
githubGitHub Advisory DatabaseGHSA-H4X4-5QP2-WP46
HistoryDec 21, 2018 - 5:46 p.m.

Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353

2018-12-2117:46:54
CWE-20
GitHub Advisory Database
github.com
66
vulnerability
jackson-databind
cwe-20
improper input validation
dos
exploitable
time value
nanoseconds
fixed
version 2.9.8
software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

76.8%

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Databind that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Affected configurations

Vulners
Node
com.fasterxml.jackson.datatypejackson-datatype-jsr310Range<2.9.8
VendorProductVersionCPE
com.fasterxml.jackson.datatypejackson-datatype-jsr310*cpe:2.3:a:com.fasterxml.jackson.datatype:jackson-datatype-jsr310:*:*:*:*:*:*:*:*

References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

76.8%