CVE-2021-46877

NameCVE-2021-46877
Descriptionjackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)jessie, jessie (lts)2.4.2-2+deb8u17fixed
stretch (security)2.8.6-1+deb9u10fixed
stretch (lts), stretch2.8.6-1+deb9u11fixed
buster (security), buster, buster (lts)2.9.8-3+deb10u5fixed
bullseye (security), bullseye2.12.1-1+deb11u1vulnerable
sid, trixie, bookworm2.14.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsourcejessie(not affected)
jackson-databindsourcestretch(not affected)
jackson-databindsourcebuster(not affected)
jackson-databindsource(unstable)2.13.2.2-1

Notes

[bullseye] - jackson-databind <no-dsa> (Minor issue)
[buster] - jackson-databind <not-affected> (Vulnerable code introduced in 2.10)
https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
https://github.com/FasterXML/jackson-databind/issues/3328
https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
[stretch] - jackson-databind <not-affected> (Vulnerable code introduced in 2.10)
[jessie] - jackson-databind <not-affected> (Vulnerable code introduced in 2.10)
Search for package or bug name: Reporting problems