jackson-dataformat-cbor-2.10.1.jar vulnerability 

Issue date: 13-12-2021
Affects versions: 14.6, 13.4

Security Issue ID

SECURITY-258

 

Affected Product Version(s)

14.6.3, 13.4.10 and previous releases.


Severity 

medium

 

Description

 

CVE-2020-28491  suppress

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:

  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A

CVSSv3:

  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Referenced In Projects/Scopes: 

  • Starter Store Addon Connectors commercetools:compile

 

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing,  14.7.0 or 13.4.11