CVE-2020-36518: 
Java vulnerability analysis and mitigation

CVE-2020-36518 affects jackson-databind versions before 2.13.0, allowing attackers to cause a Java StackOverflow exception and denial of service through a large depth of nested objects. The vulnerability was disclosed in March 2022 and impacts various software products that utilize the jackson-databind library (NVD, GitHub Issue).

The vulnerability exists in the implementation of UntypedObjectDeserializer in jackson-databind, which is prone to denial of service attacks when processing deeply nested object and array values. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without authentication (NVD).

Successful exploitation of this vulnerability can lead to denial of service (DoS) through Java StackOverflow exceptions. The vulnerability is particularly concerning as it can be triggered with relatively modest JVM memory by using documents with approximately ten thousand levels of nesting (GitHub Issue).

The vulnerability has been fixed in jackson-databind version 2.13.0 and later. Various vendors have released patches for their affected products, including Debian (versions 2.12.1-1+deb11u1), NetApp products, and Oracle systems. Organizations using affected versions should upgrade to the patched versions (Debian Advisory, NetApp Advisory).