First published: Sat Mar 18 2023(Updated: )
A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <0:2.401.1.1686649641-3.el8 | 0:2.401.1.1686649641-3.el8 |
redhat/jenkins | <0:2.387.3.1684911776-3.el8 | 0:2.387.3.1684911776-3.el8 |
redhat/eap7-wildfly | <0:7.4.12-3.GA_redhat_00003.1.el8ea | 0:7.4.12-3.GA_redhat_00003.1.el8ea |
redhat/eap7-wildfly | <0:7.4.12-3.GA_redhat_00003.1.el9ea | 0:7.4.12-3.GA_redhat_00003.1.el9ea |
redhat/eap7-wildfly | <0:7.4.12-3.GA_redhat_00003.1.el7ea | 0:7.4.12-3.GA_redhat_00003.1.el7ea |
redhat/rh-sso7-keycloak | <0:18.0.9-1.redhat_00001.1.el7 | 0:18.0.9-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.9-1.redhat_00001.1.el8 | 0:18.0.9-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.9-1.redhat_00001.1.el9 | 0:18.0.9-1.redhat_00001.1.el9 |
FasterXML jackson-databind | >=2.10.0<2.12.6 | |
FasterXML jackson-databind | =2.13.0 | |
FasterXML jackson-databind | =2.13.0-rc1 | |
FasterXML jackson-databind | =2.13.0-rc2 | |
redhat/jackson-databind | <2.13.1 | 2.13.1 |
redhat/jackson-databind | <2.12.6 | 2.12.6 |
IBM Security Verify Governance - Identity Manager, Software component | <=ISVG 10.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2021-46877 is high with a severity value of 7.5.
The affected software of CVE-2021-46877 includes jackson-databind versions 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1.
An attacker can exploit CVE-2021-46877 to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
The remedy for CVE-2021-46877 is to update to jackson-databind version 2.12.6 or 2.13.1.
You can find more information about CVE-2021-46877 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2021-46877) and the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2021-46877).