CVE-2020-36518

Name	CVE-2020-36518
Description	jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DLA-2990-1
Debian Bugs	1007109

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jackson-databind (PTS)	buster	2.9.8-3+deb10u3	vulnerable
	buster (security)	2.9.8-3+deb10u1	vulnerable
	bullseye	2.12.1-1	vulnerable
	bookworm, sid	2.13.2.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
jackson-databind	source	stretch	2.8.6-1+deb9u10		DLA-2990-1
jackson-databind	source	(unstable)	2.13.2.2-1			1007109

Notes

[bullseye] - jackson-databind <no-dsa> (Minor issue)
[buster] - jackson-databind <no-dsa> (Minor issue)
https://github.com/FasterXML/jackson-databind/issues/2816