In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
References
Link | Resource |
---|---|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 | Exploit Issue Tracking Mailing List Patch Third Party Advisory |
https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 | Patch Third Party Advisory |
https://github.com/FasterXML/jackson-databind/issues/3590 | Exploit Issue Tracking Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202210-21 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20221124-0004/ | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5283 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
20 Dec 2023, 10:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. |
02 Dec 2022, 15:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* |
|
First Time |
Debian
Netapp oncommand Workflow Automation Netapp Quarkus quarkus Debian debian Linux Quarkus |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20221124-0004/ - Third Party Advisory | |
References | (GENTOO) https://security.gentoo.org/glsa/202210-21 - Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5283 - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html - Mailing List, Third Party Advisory |
27 Nov 2022, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
24 Nov 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Nov 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Oct 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Oct 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
Summary | In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1 |
04 Oct 2022, 18:56
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/FasterXML/jackson-databind/issues/3590 - Exploit, Issue Tracking, Third Party Advisory | |
References | (MISC) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 - Exploit, Issue Tracking, Mailing List, Patch, Third Party Advisory | |
CPE | cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
First Time |
Fasterxml
Fasterxml jackson-databind |
|
CWE | CWE-502 |
02 Oct 2022, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-10-02 05:15
Updated : 2023-12-20 10:15
NVD link : CVE-2022-42003
Mitre link : CVE-2022-42003
CVE.ORG link : CVE-2022-42003
JSON object : View
Products Affected
debian
- debian_linux
netapp
- oncommand_workflow_automation
quarkus
- quarkus
fasterxml
- jackson-databind
CWE
CWE-502
Deserialization of Untrusted Data