GHSA-57j2-w4cx-62h2 · Severity: high · Ecosystem: maven — Deeply nested json in jackson-databind
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Conclusion & alert: CVE-2020-36518 is rated High Exploit Risk (81.2/100): CVSS High severity, with high exploitation likelihood (EPSS 4.86%, 91th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +4.35% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.51% | 4.86% | +4.35% |
| 2 | 2026-03-04 | 0.34% | 0.51% | +0.18% |
| 3 | 2026-03-01 | — | 0.34% | — |
Full EPSS history (55 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-57j2-w4cx-62h2 · Severity: high · Ecosystem: maven — Deeply nested json in jackson-databind
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2020-36518 not yet assigned priority: Debian including 1 source packages (jackson-databind), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-36518 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2020-36518 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2020-36518/ |
ubuntu
|
medium | CVE-2020-36518 medium priority: Ubuntu including 1 source packages (jackson-databind), 14 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): needs-triage 8, ignored 6. | https://ubuntu.com/security/CVE-2020-36518 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| fasterxml | jackson-databind | < 2.12.6.1 | cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* |
| fasterxml | jackson-databind | >= 2.13.0, < 2.13.2.1 | cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* |
| oracle | big_data_spatial_and_graph | < 23.1 | cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* |
| oracle | coherence | 14.1.1.0.0 | cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:* |
| oracle | commerce_platform | 11.3.0 | cpe:2.3:a:oracle:commerce_platform:11.3.0:*:*:*:*:*:*:* |
| oracle | commerce_platform | 11.3.1 | cpe:2.3:a:oracle:commerce_platform:11.3.1:*:*:*:*:*:*:* |
| oracle | commerce_platform | 11.3.2 | cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:* |
| oracle | communications_billing_and_revenue_management | >= 12.0.0.4.0, <= 12.0.0.6.0 | cpe:2.3:a:oracle:communications_billing_and_revenue_management:*:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_binding_support_function | 22.1.3 | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_console | 1.9.0 | cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_repository_function | 22.1.2 | cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_repository_function | 22.2.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.0 | cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.1 | cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 22.1.1 | cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_service_communication_proxy | 22.2.0 | cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_unified_data_repository | 22.2.0 | cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:* |
| oracle | financial_services_analytical_applications_infrastructure | >= 8.0.7, <= 8.1.0.0 | cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.1.0 | cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:* |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.2.0 | cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:* |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.2.1 | cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:* |
| oracle | financial_services_behavior_detection_platform | >= 8.1.1.0, <= 8.1.2.1 | cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:* |
| oracle | financial_services_behavior_detection_platform | 8.0.7.0.0 | cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:*:*:*:*:*:*:* |
| oracle | financial_services_behavior_detection_platform | 8.0.8 | cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:* |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 | cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | >= 8.1.1.0, <= 8.1.2.1 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:*:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | 8.0.7.1 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | 8.0.7.2 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | 8.0.8.0 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | 8.0.8.1 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:* |
| oracle | financial_services_trade-based_anti_money_laundering | 8.0.7 | cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:* |
| oracle | financial_services_trade-based_anti_money_laundering | 8.0.8 | cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:* |
| oracle | global_lifecycle_management_nextgen_oui_framework | < 13.9.4.2.2 | cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:* |
| oracle | global_lifecycle_management_nextgen_oui_framework | 13.9.4.2.2 | cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:* |
| oracle | global_lifecycle_management_opatch | < 12.2.0.1.30 | cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* |
| oracle | graph_server_and_client | < 22.2.0 | cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:* |
| oracle | health_sciences_empirica_signal | 9.1.0.5.2 | cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:*:*:*:*:*:*:* |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* |
| oracle | primavera_gateway | >= 17.12.0, <= 17.12.11 | cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* |
| oracle | primavera_gateway | >= 18.8.0, <= 18.8.14 | cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* |
| oracle | primavera_gateway | >= 19.12.0, <= 19.12.13 | cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* |
| oracle | primavera_gateway | >= 20.12.0, <= 20.12.18 | cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* |
| oracle | primavera_gateway | >= 21.12.0, <= 21.12.1 | cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* |
| oracle | primavera_p6_enterprise_project_portfolio_management | >= 17.12.0.0, <= 17.12.20.4 | cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* |
| oracle | primavera_p6_enterprise_project_portfolio_management | >= 18.8.0.0, <= 18.8.25.4 | cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* |
| oracle | primavera_p6_enterprise_project_portfolio_management | >= 19.12.0, <= 19.12.19.0 | cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* |
| oracle | primavera_p6_enterprise_project_portfolio_management | >= 20.12.0.0, <= 21.12.4.0 | cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* |
| oracle | primavera_unifier | >= 17.0, <= 17.12 | cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 18.0 | cpe:2.3:a:oracle:primavera_unifier:18.0:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 19.12 | cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 20.12 | cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 21.12 | cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:* |
| oracle | retail_sales_audit | 15.0.3.1 | cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:*:*:*:*:*:*:* |
| oracle | sd-wan_edge | 9.0 | cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* |
| oracle | sd-wan_edge | 9.1 | cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:* |
| oracle | spatial_studio | < 20.1.0 | cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.3.0.5.0 | cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.3.0.6.0 | cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.0.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.2.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.3.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.5.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:*:*:*:*:*:*:* |
| oracle | weblogic_server | 12.2.1.3.0 | cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* |
| oracle | weblogic_server | 12.2.1.4.0 | cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* |
| oracle | weblogic_server | 14.1.1.0.0 | cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* |
| netapp | cloud_insights_acquisition_unit | — | cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:* |
| netapp | oncommand_insight | — | cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
| netapp | oncommand_workflow_automation | — | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* |
| netapp | snap_creator_framework | — | cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/FasterXML/jackson-databind/issues/2816 | Issue Tracking Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html | Exploit Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html | Mailing List Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20220506-0004/ | Third Party Advisory |
| https://www.debian.org/security/2022/dsa-5283 | Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuapr2022.html | Third Party Advisory |
| https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |