Denial of Service Vulnerability in Jackson Databind by FasterXML
CVE-2021-46877

7.5HIGH

Key Information:

Vendor: Fasterxml
Status: Jackson-databind
Vendor: CVE Published:; 18 March 2023

What is CVE-2021-46877?

This vulnerability allows attackers to exploit jackson-databind versions 2.10.x through 2.12.x (before 2.12.6) and 2.13.x (before 2.13.1) to cause a denial of service. In specific situations involving JsonNode JDK serialization, it can lead to excessive transient heap usage, potentially consuming up to 2 GB of heap memory per read operation, which can disrupt application performance and availability.

References

https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw

https://github.com/FasterXML/jackson-databind/issues/3328

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2023
Vulnerability Reserved
Mar 18, 2023

CVE-2021-46877 Data

JSON

Fasterxml

What is CVE-2021-46877?

References

CVSS V3.1

Timeline