CVE-2023-35116: 
Linux Red Hat vulnerability analysis and mitigation

jackson-databind through version 2.15.2 contains a vulnerability that allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. However, this vulnerability is disputed as the vendor states that it is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker (NVD).

The vulnerability is related to stack overflow errors that occur during the serialization of Map objects with cyclic dependencies. When attempting to serialize a Map that contains a reference to itself, the process results in a java.lang.StackOverflowError due to infinite recursive processing. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is a potential denial of service condition when processing crafted objects with cyclic dependencies. The vulnerability affects the availability of the system but does not impact confidentiality or integrity (NVD).

The vendor suggests that this is not a valid vulnerability as it cannot be exploited externally. However, potential solutions include adding depth tracking to record the current parsing depth and throwing an exception if it exceeds a certain threshold, or changing the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing (GitHub Issue).