CVE-2021-46877: 
Java vulnerability analysis and mitigation

A vulnerability was identified in jackson-databind versions 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1. The vulnerability, tracked as CVE-2021-46877, was disclosed on March 18, 2023, and allows attackers to cause a denial of service condition through JsonNode JDK serialization (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically occurs in uncommon situations involving JsonNode JDK serialization, where an attacker can trigger excessive memory consumption of up to 2GB transient heap usage per read operation. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When successfully exploited, this vulnerability can lead to a denial of service condition by consuming up to 2GB of transient heap memory per read operation. The impact is specifically limited to scenarios where JDK serialization is used with JsonNode types, and does not affect normal JSON reading/writing operations using ObjectMapper (Jackson User).

The vulnerability has been fixed in jackson-databind versions 2.12.6 and 2.13.1. Users are recommended to upgrade to these or newer versions to address the issue. It's worth noting that versions prior to 2.10.x are not affected by this vulnerability (Jackson User).

The jackson-databind development team has characterized this as an issue that is "ALMOST 100% NOT AFFECTING YOU IN ANY WAY wrt security," but noted that security scanning tools would likely flag it as a significant security concern (Jackson User).