/

CVE-2023-35116 Report - Details, Severity, & Advisorie...

CVE-2023-35116 Report - Details, Severity, & Advisories

Twingate Team

Apr 25, 2024

CVE-2023-35116 is a disputed vulnerability with a medium severity rating of 4.7, affecting the jackson-databind software through version 2.15.2. This vulnerability allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. However, the vendor argues that this is not a valid vulnerability report, as the steps to construct a cyclic data structure and serialize it cannot be achieved by an external attacker. The types of systems affected are not explicitly mentioned, but it is known to impact software configurations using jackson-databind.

How do I know if I'm affected?

If you're using the jackson-databind software up to version 2.15.2, you might be affected by the vulnerability. This issue could cause a denial of service or other unspecified impacts through a crafted object with cyclic dependencies. However, the vendor disputes its validity, arguing that external attackers cannot achieve the necessary steps. To determine if you're affected, look for stack overflow errors caused by the serialization of a Map with a cyclic dependency in the jackson-databind library.

What should I do if I'm affected?

If you're affected by the vulnerability, it's recommended to update your jackson-databind library to a version with mitigation steps. Be cautious of the data you're serializing and avoid creating Maps with cyclic dependencies. Following these steps can help prevent denial of service or other impacts caused by this vulnerability.

Is CVE-2023-35116 in CISA’s Known Exploited Vulnerabilities Catalog?

As of now, CVE-2023-35116 is not listed in CISA's Known Exploited Vulnerabilities Catalog. This vulnerability, related to jackson-databind, was published on June 14, 2023. No specific due date or required action is mentioned for this vulnerability. In simpler terms, it involves a problem in the jackson-databind project that could potentially cause an application to crash, but the maintainers argue it cannot be exploited by external attackers.

Weakness enumeration

The weakness enumeration for CVE-2023-35116 identifies it as CWE-770, which involves resource allocation without limits or throttling, potentially causing a stack overflow error in the affected software.

For more details

CVE-2023-35116 is a disputed vulnerability in jackson-databind that could potentially cause denial of service or other impacts. For a comprehensive understanding of its description, severity, technical details, and affected software configurations, refer to the NVD page or the resource listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-35116 Report - Details, Severity, & Advisorie...

CVE-2023-35116 Report - Details, Severity, & Advisories

Twingate Team

Apr 25, 2024

CVE-2023-35116 is a disputed vulnerability with a medium severity rating of 4.7, affecting the jackson-databind software through version 2.15.2. This vulnerability allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. However, the vendor argues that this is not a valid vulnerability report, as the steps to construct a cyclic data structure and serialize it cannot be achieved by an external attacker. The types of systems affected are not explicitly mentioned, but it is known to impact software configurations using jackson-databind.

How do I know if I'm affected?

If you're using the jackson-databind software up to version 2.15.2, you might be affected by the vulnerability. This issue could cause a denial of service or other unspecified impacts through a crafted object with cyclic dependencies. However, the vendor disputes its validity, arguing that external attackers cannot achieve the necessary steps. To determine if you're affected, look for stack overflow errors caused by the serialization of a Map with a cyclic dependency in the jackson-databind library.

What should I do if I'm affected?

If you're affected by the vulnerability, it's recommended to update your jackson-databind library to a version with mitigation steps. Be cautious of the data you're serializing and avoid creating Maps with cyclic dependencies. Following these steps can help prevent denial of service or other impacts caused by this vulnerability.

Is CVE-2023-35116 in CISA’s Known Exploited Vulnerabilities Catalog?

As of now, CVE-2023-35116 is not listed in CISA's Known Exploited Vulnerabilities Catalog. This vulnerability, related to jackson-databind, was published on June 14, 2023. No specific due date or required action is mentioned for this vulnerability. In simpler terms, it involves a problem in the jackson-databind project that could potentially cause an application to crash, but the maintainers argue it cannot be exploited by external attackers.

Weakness enumeration

The weakness enumeration for CVE-2023-35116 identifies it as CWE-770, which involves resource allocation without limits or throttling, potentially causing a stack overflow error in the affected software.

For more details

CVE-2023-35116 is a disputed vulnerability in jackson-databind that could potentially cause denial of service or other impacts. For a comprehensive understanding of its description, severity, technical details, and affected software configurations, refer to the NVD page or the resource listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-35116 Report - Details, Severity, & Advisories

Twingate Team

Apr 25, 2024

CVE-2023-35116 is a disputed vulnerability with a medium severity rating of 4.7, affecting the jackson-databind software through version 2.15.2. This vulnerability allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. However, the vendor argues that this is not a valid vulnerability report, as the steps to construct a cyclic data structure and serialize it cannot be achieved by an external attacker. The types of systems affected are not explicitly mentioned, but it is known to impact software configurations using jackson-databind.

How do I know if I'm affected?

If you're using the jackson-databind software up to version 2.15.2, you might be affected by the vulnerability. This issue could cause a denial of service or other unspecified impacts through a crafted object with cyclic dependencies. However, the vendor disputes its validity, arguing that external attackers cannot achieve the necessary steps. To determine if you're affected, look for stack overflow errors caused by the serialization of a Map with a cyclic dependency in the jackson-databind library.

What should I do if I'm affected?

If you're affected by the vulnerability, it's recommended to update your jackson-databind library to a version with mitigation steps. Be cautious of the data you're serializing and avoid creating Maps with cyclic dependencies. Following these steps can help prevent denial of service or other impacts caused by this vulnerability.

Is CVE-2023-35116 in CISA’s Known Exploited Vulnerabilities Catalog?

As of now, CVE-2023-35116 is not listed in CISA's Known Exploited Vulnerabilities Catalog. This vulnerability, related to jackson-databind, was published on June 14, 2023. No specific due date or required action is mentioned for this vulnerability. In simpler terms, it involves a problem in the jackson-databind project that could potentially cause an application to crash, but the maintainers argue it cannot be exploited by external attackers.

Weakness enumeration

The weakness enumeration for CVE-2023-35116 identifies it as CWE-770, which involves resource allocation without limits or throttling, potentially causing a stack overflow error in the affected software.

For more details

CVE-2023-35116 is a disputed vulnerability in jackson-databind that could potentially cause denial of service or other impacts. For a comprehensive understanding of its description, severity, technical details, and affected software configurations, refer to the NVD page or the resource listed below.