Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yZ3Y5LXE1NDMtcnFnNM4AAvJu
Uncontrolled Resource Consumption in FasterXML jackson-databind
In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Permalink: https://github.com/advisories/GHSA-rgv9-q543-rqg4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZ3Y5LXE1NDMtcnFnNM4AAvJu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-rgv9-q543-rqg4, CVE-2022-42004
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-42004
- https://github.com/FasterXML/jackson-databind/issues/3582
- https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
- https://security.gentoo.org/glsa/202210-21
- https://www.debian.org/security/2022/dsa-5283
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252
- https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
- https://security.netapp.com/advisory/ntap-20221118-0008
- https://github.com/advisories/GHSA-rgv9-q543-rqg4
Blast Radius: 40.4
Affected Packages
maven:com.fasterxml.jackson.core:jackson-databind
Dependent packages: 23,566Dependent repositories: 244,221
Downloads:
Affected Version Ranges: >= 2.13.0, < 2.13.4, < 2.12.7.1
Fixed in: 2.13.4, 2.12.7.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.18.0, 2.18.1
All unaffected versions: