CVE-2020-36518

Exp

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Published: 2022-03-11 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2020-36518 is rated High Exploit Risk (81.2/100): CVSS High severity, with high exploitation likelihood (EPSS 4.86%, 91th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +4.35% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2020-36518

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2020-36518

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.51% 4.86% +4.35%
2 2026-03-04 0.34% 0.51% +0.18%
3 2026-03-01 0.34%

Full EPSS history (55 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-36518

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 3.6 [email protected]
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 2.9 [email protected]

Weakness enumeration for CVE-2020-36518

GitHub Security Advisory for CVE-2020-36518

GHSA-57j2-w4cx-62h2 · Severity: high · Ecosystem: maven — Deeply nested json in jackson-databind

OS Trackers for CVE-2020-36518

vendor priority summary link
debian not yet assigned CVE-2020-36518 not yet assigned priority: Debian including 1 source packages (jackson-databind), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2020-36518
redhat medium https://access.redhat.com/security/cve/CVE-2020-36518
suse high https://www.suse.com/security/cve/CVE-2020-36518/
ubuntu medium CVE-2020-36518 medium priority: Ubuntu including 1 source packages (jackson-databind), 14 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): needs-triage 8, ignored 6. https://ubuntu.com/security/CVE-2020-36518

Affected software / configurations for CVE-2020-36518

Vendor Product Version Raw CPE
fasterxml jackson-databind < 2.12.6.1 cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
fasterxml jackson-databind >= 2.13.0, < 2.13.2.1 cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
oracle big_data_spatial_and_graph < 23.1 cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*
oracle coherence 14.1.1.0.0 cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
oracle commerce_platform 11.3.0 cpe:2.3:a:oracle:commerce_platform:11.3.0:*:*:*:*:*:*:*
oracle commerce_platform 11.3.1 cpe:2.3:a:oracle:commerce_platform:11.3.1:*:*:*:*:*:*:*
oracle commerce_platform 11.3.2 cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*
oracle communications_billing_and_revenue_management >= 12.0.0.4.0, <= 12.0.0.6.0 cpe:2.3:a:oracle:communications_billing_and_revenue_management:*:*:*:*:*:*:*:*
oracle communications_cloud_native_core_binding_support_function 22.1.3 cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
oracle communications_cloud_native_core_console 1.9.0 cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_network_repository_function 22.1.2 cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*
oracle communications_cloud_native_core_network_repository_function 22.2.0 cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_network_slice_selection_function 22.1.0 cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_network_slice_selection_function 22.1.1 cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:*
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1 cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
oracle communications_cloud_native_core_service_communication_proxy 22.2.0 cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_unified_data_repository 22.2.0 cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 8.0.7, <= 8.1.0.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure 8.1.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure 8.1.2.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure 8.1.2.1 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform >= 8.1.1.0, <= 8.1.2.1 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform 8.0.7.0.0 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform 8.0.8 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:*
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0 cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0 cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management >= 8.1.1.0, <= 8.1.2.1 cpe:2.3:a:oracle:financial_services_enterprise_case_management:*:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.7.1 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.7.2 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.8.0 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.8.1 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*
oracle financial_services_trade-based_anti_money_laundering 8.0.7 cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*
oracle financial_services_trade-based_anti_money_laundering 8.0.8 cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*
oracle global_lifecycle_management_nextgen_oui_framework < 13.9.4.2.2 cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2 cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*
oracle global_lifecycle_management_opatch < 12.2.0.1.30 cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
oracle graph_server_and_client < 22.2.0 cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*
oracle health_sciences_empirica_signal 9.1.0.5.2 cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.58 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
oracle primavera_gateway >= 17.12.0, <= 17.12.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 18.8.0, <= 18.8.14 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 19.12.0, <= 19.12.13 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 20.12.0, <= 20.12.18 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 21.12.0, <= 21.12.1 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_p6_enterprise_project_portfolio_management >= 17.12.0.0, <= 17.12.20.4 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
oracle primavera_p6_enterprise_project_portfolio_management >= 18.8.0.0, <= 18.8.25.4 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
oracle primavera_p6_enterprise_project_portfolio_management >= 19.12.0, <= 19.12.19.0 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
oracle primavera_p6_enterprise_project_portfolio_management >= 20.12.0.0, <= 21.12.4.0 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
oracle primavera_unifier >= 17.0, <= 17.12 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
oracle primavera_unifier 18.0 cpe:2.3:a:oracle:primavera_unifier:18.0:*:*:*:*:*:*:*
oracle primavera_unifier 19.12 cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
oracle primavera_unifier 20.12 cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
oracle primavera_unifier 21.12 cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
oracle retail_sales_audit 15.0.3.1 cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:*:*:*:*:*:*:*
oracle sd-wan_edge 9.0 cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*
oracle sd-wan_edge 9.1 cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
oracle spatial_studio < 20.1.0 cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*
oracle utilities_framework 4.3.0.5.0 cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*
oracle utilities_framework 4.3.0.6.0 cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
oracle utilities_framework 4.4.0.0.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
oracle utilities_framework 4.4.0.2.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
oracle utilities_framework 4.4.0.3.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
oracle utilities_framework 4.4.0.5.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.3.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.4.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
oracle weblogic_server 14.1.1.0.0 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
netapp active_iq_unified_manager cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
netapp active_iq_unified_manager cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
netapp active_iq_unified_manager cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
netapp cloud_insights_acquisition_unit cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*
netapp oncommand_insight cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
netapp oncommand_workflow_automation cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
netapp snap_creator_framework cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

References for CVE-2020-36518

cvelogic Threat Intelligence