CVE-2020-28491
- Source
- https://cve.org/CVERecord?id=CVE-2020-28491
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28491.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-28491
- Aliases
- Downstream
- Related
- Published
- 2021-02-18T16:15:13.207Z
- Modified
- 2026-04-02T05:37:12.811764Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
- References
Affected packages
Git / github.com/fasterxml/jackson-dataformats-binary
Affected ranges
- Type
- GIT
- Repo
- https://github.com/fasterxml/jackson-dataformats-binary
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "2.11.4" }, { "introduced": "0" }, { "fixed": "2.12.1" }, { "introduced": "0" }, { "last_affected": "2.12.0-NA" }, { "introduced": "0" }, { "last_affected": "2.12.0-rc1" }, { "introduced": "0" }, { "last_affected": "2.12.0-rc2" } ] }
Affected versions
0.*
0.0.1
0.1.0
0.10.0
0.11.0
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.15.0
0.16.0
0.16.1
0.17.0
0.18.0
0.19.0
0.19.1
0.2.0
0.20.0
0.21.0
0.21.1
0.21.2
0.22.0
0.23.0
0.23.1
0.23.2
0.24.0
0.25.0
0.26.0
0.26.1
0.27.0
0.28.0
0.28.1
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.9.1
1.*
1.0.0.CR1
1.0.0.CR2
1.0.0.Final
1.0.1.Final
1.1.0.CR1
1.1.0.Final
1.1.1.Final
1.10.0.CR1
1.10.0.Final
1.10.1.Final
1.10.2.Final
1.10.3.Final
1.10.4.Final
1.10.5.Final
1.11.0.Beta1
1.11.0.Beta2
1.11.0.CR1
1.11.0.Final
1.11.1.Final
1.11.2.Final
1.11.3.Final
1.11.4.Final
1.11.5.Final
1.11.6.Final
1.11.7.Final
1.12.0.CR1
1.12.0.Final
1.12.1.Final
1.12.2.Final
1.13.0.CR1
1.13.0.Final
1.13.1.Final
1.13.2.Final
1.13.3.Final
1.13.4.Final
1.13.5.Final
1.13.6.Final
1.13.7.Final
1.2.0.CR1
1.2.0.Final
1.2.1.Final
1.3.0.Alpha1
1.3.0.Alpha2
1.3.0.CR1
1.3.0.CR2
1.3.0.Final
1.3.1.Final
1.3.2.Final
1.3.3.Final
1.3.4.Final
1.4.0.CR1
1.4.0.Final
1.4.1.Final
1.4.2.Final
1.5.0.CR1
1.5.0.Final
1.5.1.Final
1.5.2.Final
1.6.0.CR1
1.6.0.Final
1.6.1.Final
1.7.0.CR1
1.7.0.CR2
1.7.0.Final
1.7.1.Final
1.7.2.Final
1.7.3.Final
1.7.4.Final
1.7.5.Final
1.7.6.Final
1.8.0.CR1
1.8.0.Final
1.8.1.Final
1.8.2.Final
1.8.3.Final
1.9.0.CR1
1.9.0.Final
1.9.1.Final
1.9.2.Final
2.*
2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.CR1
2.0.0.CR2
2.0.0.CR3
2.0.0.Final
2.0.1.Final
2.0.3.Final
2.1.0.CR1
2.1.0.Final
2.1.1.Final
2.1.2.Final
2.1.3.Final
2.1.4.Final
2.10.0.CR1
2.10.0.Final
2.10.1.Final
2.10.2.Final
2.10.3.Final
2.10.4.Final
2.11.0.CR1
2.11.0.Final
2.11.1.Final
2.11.2.Final
2.11.3.Final
2.12.0.CR1
2.12.0.Final
2.12.1.Final
2.12.2.Final
2.12.3.Final
2.13.0.CR1
2.13.0.Final
2.13.1.Final
2.13.2.Final
2.13.3.Final
2.13.4.Final
2.13.5.Final
2.13.6.Final
2.13.7.Final
2.13.8.Final
2.13.9.Final
2.14.0.CR1
2.14.0.Final
2.14.1.Final
2.14.2.Final
2.14.3.Final
2.15.0.CR1
2.15.0.Final
2.15.1.Final
2.15.2.Final
2.15.3.Final
2.16.0.CR1
2.16.0.Final
2.16.1.Final
2.16.10.Final
2.16.11.Final
2.16.12.Final
2.16.2.Final
2.16.3.Final
2.16.4.Final
2.16.5.Final
2.16.6.Final
2.16.7.Final
2.16.8.Final
2.16.9.Final
2.2.0.CR1
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.3.0.CR1
2.3.0.Final
2.3.1.Final
2.4.0.CR1
2.4.0.Final
2.4.1.Final
2.4.2.Final
2.5.0.CR1
2.5.0.Final
2.5.1.Final
2.5.2.Final
2.5.3.Final
2.5.4.Final
2.6.0.CR1
2.6.0.Final
2.6.1.Final
2.6.2.Final
2.6.3.Final
2.7.0.CR1
2.7.0.Final
2.7.1.Final
2.7.2.Final
2.7.3.Final
2.7.4.Final
2.7.5.Final
2.7.6.Final
2.7.7.Final
2.8.0.CR1
2.8.0.Final
2.8.1.Final
2.8.2.Final
2.8.3.Final
2.9.0.CR1
2.9.0.Final
2.9.1.Final
2.9.2.Final
3.*
3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Beta1
3.0.0.CR1
3.0.0.CR2
3.0.0.Final
3.0.1.Final
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.1.0.CR1
3.1.0.Final
3.1.1.Final
3.1.2.Final
3.1.3.Final
3.10.0
3.10.0.CR1
3.10.1
3.10.2
3.11.0
3.11.0.CR1
3.11.1
3.11.2
3.11.3
3.12.0
3.12.0.CR1
3.12.1
3.12.2
3.12.3
3.13.0
3.13.0.CR1
3.13.1
3.13.2
3.13.3
3.14.0
3.14.0.CR1
3.14.1
3.14.2
3.14.3
3.14.4
3.15.0
3.15.0.CR1
3.15.1
3.15.2
3.15.3
3.15.3.1
3.15.4
3.15.5
3.15.6
3.15.6.1
3.15.6.2
3.15.7
3.16.0
3.16.0.CR1
3.16.1
3.16.2
3.16.3
3.16.4
3.17.0
3.17.0.CR1
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.17.6
3.17.7
3.17.8
3.18.0
3.18.0.CR1
3.18.1
3.18.2
3.18.3
3.18.4
3.19.0
3.19.0.CR1
3.19.1
3.19.2
3.19.3
3.19.4
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.2.10.Final
3.2.11.Final
3.2.12.Final
3.2.2.Final
3.2.3.Final
3.2.4.Final
3.2.5.Final
3.2.6.Final
3.2.7.Final
3.2.8.Final
3.2.9.Final
3.20.0
3.20.0.CR1
3.20.1
3.20.2
3.20.2.1
3.20.2.2
3.20.3
3.20.4
3.20.5
3.21.0
3.21.0.CR1
3.21.1
3.21.2
3.21.3
3.21.4
3.22.0
3.22.0.CR1
3.22.1
3.22.2
3.22.3
3.23.0
3.23.0.CR1
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0
3.24.0.CR1
3.24.1
3.24.2
3.24.3
3.24.4
3.24.5
3.25.0
3.25.0.CR1
3.25.1
3.25.2
3.25.3
3.25.4
3.26.0
3.26.0.CR1
3.26.1
3.26.2
3.26.3
3.26.4
3.27.0
3.27.0.CR1
3.27.1
3.27.2
3.28.0
3.28.0.CR1
3.28.1
3.28.2
3.28.3
3.28.4
3.28.5
3.29.0
3.29.0.CR1
3.29.1
3.29.2
3.29.3
3.29.4
3.3.0
3.3.0.CR1
3.3.1
3.3.2
3.3.3
3.30.0
3.30.0.CR1
3.30.1
3.30.2
3.30.3
3.30.4
3.30.5
3.30.6
3.31.0.CR1
3.4.0
3.4.0.CR1
3.4.1
3.4.2
3.4.3
3.5.0
3.5.0.CR1
3.5.1
3.5.2
3.5.3
3.6.0
3.6.0.CR1
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.7.0
3.7.0.CR1
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0
3.8.0.CR1
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.6.1
3.9.0
3.9.0.CR1
3.9.0.CR2
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
jackson-dataformats-binary-2.*
jackson-dataformats-binary-2.10.0
jackson-dataformats-binary-2.10.0.pr1
jackson-dataformats-binary-2.10.0.pr2
jackson-dataformats-binary-2.10.0.pr3
jackson-dataformats-binary-2.10.1
jackson-dataformats-binary-2.10.2
jackson-dataformats-binary-2.10.3
jackson-dataformats-binary-2.10.4
jackson-dataformats-binary-2.10.5
jackson-dataformats-binary-2.11.0
jackson-dataformats-binary-2.11.0.rc1
jackson-dataformats-binary-2.11.1
jackson-dataformats-binary-2.11.2
jackson-dataformats-binary-2.11.3
jackson-dataformats-binary-2.12.0-rc1
jackson-dataformats-binary-2.8.0
jackson-dataformats-binary-2.8.0.rc1
jackson-dataformats-binary-2.8.0.rc2
jackson-dataformats-binary-2.8.1
jackson-dataformats-binary-2.8.10
jackson-dataformats-binary-2.8.11
jackson-dataformats-binary-2.8.2
jackson-dataformats-binary-2.8.3
jackson-dataformats-binary-2.8.4
jackson-dataformats-binary-2.8.5
jackson-dataformats-binary-2.8.6
jackson-dataformats-binary-2.8.7
jackson-dataformats-binary-2.8.8
jackson-dataformats-binary-2.8.9
jackson-dataformats-binary-2.9.0
jackson-dataformats-binary-2.9.0.pr1
jackson-dataformats-binary-2.9.0.pr2
jackson-dataformats-binary-2.9.0.pr3
jackson-dataformats-binary-2.9.0.pr4
jackson-dataformats-binary-2.9.1
jackson-dataformats-binary-2.9.10
jackson-dataformats-binary-2.9.2
jackson-dataformats-binary-2.9.3
jackson-dataformats-binary-2.9.4
jackson-dataformats-binary-2.9.5
jackson-dataformats-binary-2.9.6
jackson-dataformats-binary-2.9.7
jackson-dataformats-binary-2.9.8
jackson-dataformats-binary-2.9.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28491.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.1.1.0.0"
}
]
}
]
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"129983155497639191821232729987906768590",
"293721718097756488639842468111192569958",
"277084483174521411667096336893893552039",
"327950003078725394238594746057898134396",
"90358465180018884696325127426795283433",
"32046326522691793560477738231319690675",
"129502278070894466149979291530589893008",
"232629767048977343073560288718428436817",
"256097333289448449389483771575020193030",
"106606627730428513147546610508871963184",
"25585344382680633111074017748753085804",
"5100276345026810479043727905114164406",
"321268313926450555153135542864676488572",
"327876982926057006583313670332935291689",
"21838303680019300127876574403161259481",
"67709398790751532445333746567443784986",
"56783431110364640156774298954688069741",
"337701623603561665201730327643043411740",
"65074913798098046064880138043397506537",
"196085477388162190113911383995920223225",
"218459687528603701055254638388721989634",
"166427403261253523661464004669658013164",
"296952275590201602347985611437168983378",
"177939048048205355807484105278018514921",
"36043301171711945796036643856087427323",
"274824825744177424663278282307424272372",
"278514542567996661184735554378843888287",
"318772613548819191477071427544588772209",
"325051459090327163649805835726370373250",
"43759424000242679966655295523741071057",
"202104046224665685100848242685295024521",
"73726737732190831612647247731356203998",
"290159510129303302105228511105620619398",
"302186350127742671400415888881254124593",
"338529064238834256711224528964915477865",
"316712323200081705766394325361131154443",
"1680890575939264076067885112541104730",
"171067707598149894936208036274920719631",
"42901989861396535960874244916232830975",
"147840393942686607977524498973952351660",
"321934946151966803547262389627853960039",
"31603957422268562336019888034252688236",
"155441650641331400118754750039884930924",
"242794240806336798223930833137119166850",
"206903644196711083705257983950496989737",
"83772662390265721985494413751827400968",
"195001702550610504286888798822182878192",
"191488667509288959197348735967244936916",
"25585344382680633111074017748753085804",
"5100276345026810479043727905114164406",
"291379714798149480470984844890582812399",
"299874382837472514861433092753620775607",
"248234090661109185925145951854811301324",
"20963995269190925250804656088824813206",
"104567563143988142563870835667649724170",
"196235263204402402609763157836752369823",
"151757446087398289622995848660147899636",
"258757145405178391180794398220819150294",
"106519248053627447208732498316250623012",
"323463837471766102646408590666503129424",
"160189882639841371924360294416448527409",
"235146744732920406682969336417271593953",
"40860746391389089246239248198686067914",
"206213146143000379543054723917779547703",
"74635240172505085265429406546657775765",
"294505490826375021136667253204022143196",
"81865039181064509093556433364270165969",
"162496388304201938555696298351945565569"
],
"threshold": 0.9
},
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"id": "CVE-2020-28491-0ebbf2d0",
"target": {
"file": "cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "18576926615204975445573486525009627693",
"length": 1339.0
},
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"id": "CVE-2020-28491-6c2fe96d",
"target": {
"file": "cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java",
"function": "_finishBytes"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "133583911733986147634947244890322136993",
"length": 396.0
},
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"id": "CVE-2020-28491-d02d9295",
"target": {
"file": "cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java",
"function": "_readAndWriteBytes"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "250093413643581265500582662402343291543",
"length": 528.0
},
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"id": "CVE-2020-28491-f0bd70c0",
"target": {
"file": "cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/failing/BrokenLongBinary186Test.java",
"function": "testCorruptVeryLongBinary"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"246800345423135692582171137264117158399",
"203247005902182406251857672334776410423",
"188831964508150588921972691085375264994",
"175302170851142590452665831559816457889",
"325566956706907097326739271493722429060",
"59390975657142484646348414648889502443",
"301732068583506116245146746134284490402",
"39115216093159656302879503426757917099",
"320216939997167431237265052092530217091",
"241476131684266328850980344216308011129",
"271201860604088826282660457755475539691",
"227367983070827541848635707835717238580",
"135967562241849933856414360756167589405",
"171279783161637924970486287673373715269",
"24393685379264252497193153162126591343",
"147243851137440751584877449674307599303",
"228711167884539430473509455367961697513",
"72571201198871009329158081961387733988",
"243228197233131270282623268308941239884",
"83394137749162493113866250919367758159",
"285175852603903057527171414908876590790",
"129938880201533632891819795385289412487",
"91346598705182248979770769375061916937",
"303366485401885038260486055081342080879",
"26035181553770217152310349951669607821",
"299509819860536002629293172949335238616",
"318458011858797955580024688403837128873",
"318479626346718256823842507034274753779"
],
"threshold": 0.9
},
"source": "https://github.com/fasterxml/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6",
"id": "CVE-2020-28491-f42175e3",
"target": {
"file": "cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/failing/BrokenLongBinary186Test.java"
}
}
]