{"containers": {"cna": {"affected": [{"product": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "2.11.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.12.0-rc1", "versionType": "custom"}, {"lessThan": "2.12.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "cowtowncoder"}], "datePublic": "2021-02-18T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Denial of Service (DoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:17:12", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "title": "Denial of Service (DoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-02-18T15:46:36.779241Z", "ID": "CVE-2020-28491", "STATE": "PUBLIC", "TITLE": "Denial of Service (DoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}, {"version_affected": "<", "version_value": "2.11.4"}, {"version_affected": ">=", "version_value": "2.12.0-rc1"}, {"version_affected": "<", "version_value": "2.12.1"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "cowtowncoder"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (DoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"name": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", "refsource": "MISC", "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"name": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", "refsource": "MISC", "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:40:58.646Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-28491", "datePublished": "2021-02-18T15:50:15.260223Z", "dateReserved": "2020-11-12T00:00:00", "dateUpdated": "2024-09-16T20:16:27.638Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:*:*:*:*:*:*:*:*", "matchCriteriaId": "6621426E-1001-48B0-BEFD-F032AFC27526", "versionEndExcluding": "2.11.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC85B4D7-6952-41AA-822C-7045F6352300", "versionEndExcluding": "2.12.1", "versionStartExcluding": "2.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:-:*:*:*:*:*:*", "matchCriteriaId": "7FBFAC5C-3C12-4F2B-AFA2-38A5D0867F6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "AE827068-6625-4634-9385-3672AB9096F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "2AD45DB3-F35D-486A-B43B-8B71F4CFE221", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "237329EB-B10C-47DC-8D7B-2B98D21E6CE8", "versionEndExcluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."}, {"lang": "es", "value": "Esto afecta al paquete com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versiones desde 0 y anteriores a 2.11.4, versiones desde 2.12.0-rc1 y anteriores a 2.12.1. Una asignaci\u00f3n no comprobada de b\u00fafer de bytes puede causar una excepci\u00f3n de java.lang.OutOfMemoryError"}], "id": "CVE-2020-28491", "lastModified": "2024-11-21T05:22:53.697", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-18T16:15:13.207", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-dataformats-binary/issues/186"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0727", "cpe": "cpe:/a:redhat:logging:5.1::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-120", "product_name": "OpenShift Logging 5.1", "release_date": "2022-03-01T00:00:00Z"}, {"advisory": "RHSA-2022:0728", "cpe": "cpe:/a:redhat:logging:5.2::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-124", "product_name": "OpenShift Logging 5.2", "release_date": "2022-03-02T00:00:00Z"}, {"advisory": "RHSA-2022:0721", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-123", "product_name": "OpenShift Logging 5.3", "release_date": "2022-03-01T00:00:00Z"}, {"advisory": "RHSA-2021:3880", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "jackson-dataformat-cbor", "product_name": "Red Hat build of Quarkus 2.2.3", "release_date": "2021-10-20T00:00:00Z"}, {"advisory": "RHSA-2021:5134", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "jackson-dataformat-cbor", "product_name": "Red Hat Fuse 7.10", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:4918", "cpe": "cpe:/a:redhat:integration:1", "package": "jackson-dataformat-cbor", "product_name": "Red Hat Integration", "release_date": "2021-12-02T00:00:00Z"}, {"advisory": "RHSA-2021:4767", "cpe": "cpe:/a:redhat:camel_quarkus:2.2", "package": "jackson-dataformat-cbor", "product_name": "Red Hat Integration Camel Quarkus 2", "release_date": "2021-11-23T00:00:00Z"}, {"advisory": "RHSA-2021:3534", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "package": "jackson-dataformat-cbor", "product_name": "Red Hat Single Sign-On 7.4.9", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2021:3527", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el6", "package": "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el6sso", "product_name": "Red Hat Single Sign-On 7.4 for RHEL 6", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2021:3528", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el7", "package": "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el7sso", "product_name": "Red Hat Single Sign-On 7.4 for RHEL 7", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2021:3529", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el8", "package": "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el8sso", "product_name": "Red Hat Single Sign-On 7.4 for RHEL 8", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2022:0297", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.12", "package": "jackson-dataformat-cbor", "product_name": "RHDM 7.12.0", "release_date": "2022-01-26T00:00:00Z"}, {"advisory": "RHSA-2022:0296", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12", "package": "jackson-dataformat-cbor", "product_name": "RHPAM 7.12.0", "release_date": "2022-01-26T00:00:00Z"}, {"advisory": "RHSA-2021:3125", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "jackson-dataformat-cbor", "product_name": "vertx 4.1.2", "release_date": "2021-08-18T00:00:00Z"}], "bugzilla": {"description": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception", "id": "1930423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception."], "name": "CVE-2020-28491", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "jackson-dataformat-cbor", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28491\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28491\nhttps://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"], "statement": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jackson-dataformat-cbor.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\nIn OCP 4.6 the openshift4/ose-logging-elasticsearch6 container delivers the vulnerable version of jackson-dataformat-cbor, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Since the release of OCP 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container).\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "threat_severity": "Moderate"}