{ "threat_severity" : "Moderate", "public_date" : "2023-06-14T00:00:00Z", "bugzilla" : { "description" : "jackson-databind: denial of service via cylic dependencies", "id" : "2215214", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2215214" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker." ], "statement" : "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.", "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-02-07T00:00:00Z", "advisory" : "RHSA-2024:0719", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-rhel8-operator:1.2-9" }, { "product_name" : "MTA-6.2-RHEL-8", "release_date" : "2024-02-28T00:00:00Z", "advisory" : "RHSA-2024:1027", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el8", "package" : "mta/mta-rhel8-operator:6.2.2-3" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-02-28T00:00:00Z", "advisory" : "RHSA-2024:1027", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-hub-rhel9:6.2.2-2" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-02-28T00:00:00Z", "advisory" : "RHSA-2024:1027", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-operator-bundle:6.2.2-5" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-02-28T00:00:00Z", "advisory" : "RHSA-2024:1027", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-pathfinder-rhel9:6.2.2-2" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-02-28T00:00:00Z", "advisory" : "RHSA-2024:1027", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-ui-rhel9:6.2.2-2" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-02-28T00:00:00Z", "advisory" : "RHSA-2024:1027", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.2-3" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2024-02-12T00:00:00Z", "advisory" : "RHSA-2024:0777", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-0:2.426.3.1706516352-3.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2024-02-12T00:00:00Z", "advisory" : "RHSA-2024:0777", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1706516441-1.el8" }, { "product_name" : "Red Hat AMQ Broker 7", "release_date" : "2024-09-19T00:00:00Z", "advisory" : "RHSA-2024:6893", "cpe" : "cpe:/a:redhat:amq_broker:7.12", "package" : "jackson-databind" }, { "product_name" : "Red Hat build of Apache Camel 4.4.0 for Spring Boot", "release_date" : "2024-05-06T00:00:00Z", "advisory" : "RHSA-2024:2707", "cpe" : "cpe:/a:redhat:apache-camel-spring-boot:4.4.0", "package" : "jackson-databind" }, { "product_name" : "Red Hat Data Grid 8.4.4", "release_date" : "2023-09-28T00:00:00Z", "advisory" : "RHSA-2023:5396", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "jackson-databind" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Cryostat 2", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat A-MQ Online", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:amq_online:1" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-35116\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-35116" ], "name" : "CVE-2023-35116", "mitigation" : { "value" : "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.", "lang" : "en:us" }, "csaw" : false }