CVE-2023-35116
Detail
Modified After Enrichment
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Description
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Metrics
β
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0 Severity and Vector Strings:
Base
Score:
NVD assessment
not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
Change History
14 change records found show changes
CVE Modified by MITRE
6/17/2026 2:04:26 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]
|
CVE Modified by CVE
11/21/2024 3:07:58 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://github.com/FasterXML/jackson-databind/issues/3972
|
CVE Modified by MITRE
8/02/2024 1:15:32 PM
| Action |
Type |
Old Value |
New Value |
CVE Modified by MITRE
5/16/2024 10:25:19 PM
| Action |
Type |
Old Value |
New Value |
CVE Modified by MITRE
5/14/2024 9:16:23 AM
| Action |
Type |
Old Value |
New Value |
CVE Modified by MITRE
4/10/2024 9:20:32 PM
| Action |
Type |
Old Value |
New Value |
CVE Modified by MITRE
3/20/2024 10:47:55 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Tag |
MITRE disputed
|
Modified Analysis by NIST
12/07/2023 7:13:13 AM
| Action |
Type |
Old Value |
New Value |
| Changed |
CPE Configuration |
OR
*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* versions up to (including) 2.15.2
|
OR
*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* versions up to (excluding) 2.16.0
|
CVE Modified by MITRE
11/06/2023 11:15:53 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
** DISPUTED ** jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
|
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
|
CVE Modified by MITRE
7/26/2023 1:15:12 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
** DISPUTED ** An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that the product is not intended for use with untrusted input.
|
** DISPUTED ** jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
|
Reanalysis by NIST
7/14/2023 2:52:52 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CWE |
NIST CWE-770
|
| Removed |
CWE |
NIST CWE-502
|
Reanalysis by NIST
7/13/2023 12:45:46 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
NIST AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
|
| Removed |
CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| Changed |
Reference Type |
https://github.com/FasterXML/jackson-databind/issues/3972 Exploit, Issue Tracking
|
https://github.com/FasterXML/jackson-databind/issues/3972 Issue Tracking
|
Initial Analysis by NIST
6/26/2023 12:52:40 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| Added |
CWE |
NIST CWE-502
|
| Added |
CPE Configuration |
OR
*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* versions up to (including) 2.15.2
|
| Changed |
Reference Type |
https://github.com/FasterXML/jackson-databind/issues/3972 No Types Assigned
|
https://github.com/FasterXML/jackson-databind/issues/3972 Exploit, Issue Tracking
|
CVE Modified by MITRE
6/19/2023 11:15:09 AM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
|
** DISPUTED ** An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that the product is not intended for use with untrusted input.
|
Quick Info
CVE Dictionary Entry: CVE-2023-35116 NVD
Published Date: 06/14/2023 NVD
Last Modified: 06/17/2026
Source: MITRE
|
