CVE-2022-42003

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

History

27 Nov 2022, 22:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html -

24 Nov 2022, 16:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20221124-0004/ -

17 Nov 2022, 21:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5283 -

31 Oct 2022, 04:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202210-21 -

13 Oct 2022, 23:15

Type Values Removed Values Added
Summary In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

04 Oct 2022, 18:56

Type Values Removed Values Added
References (MISC) https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 - (MISC) https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 - Patch, Third Party Advisory
References (MISC) https://github.com/FasterXML/jackson-databind/issues/3590 - (MISC) https://github.com/FasterXML/jackson-databind/issues/3590 - Exploit, Issue Tracking, Third Party Advisory
References (MISC) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 - (MISC) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 - Exploit, Issue Tracking, Mailing List, Patch, Third Party Advisory
CPE cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Fasterxml
Fasterxml jackson-databind
CWE CWE-502

02 Oct 2022, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-10-02 05:15

Updated : 2022-11-27 22:15


NVD link : CVE-2022-42003

Mitre link : CVE-2022-42003


JSON object : View

Products Affected

fasterxml

  • jackson-databind
CWE
CWE-502

Deserialization of Untrusted Data