In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur
because of a lack of a check in BeanDeserializer._deserializeFromArray to
prevent use of deeply nested arrays. An application is vulnerable only with
certain customized choices for deserialization.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | jackson-databind | < any | UNKNOWN |
ubuntu | 23.10 | noarch | jackson-databind | < any | UNKNOWN |
ubuntu | 24.04 | noarch | jackson-databind | < any | UNKNOWN |
bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88 (jackson-databind-2.13.4)
github.com/FasterXML/jackson-databind/issues/3582
launchpad.net/bugs/cve/CVE-2022-42004
nvd.nist.gov/vuln/detail/CVE-2022-42004
security-tracker.debian.org/tracker/CVE-2022-42004
www.cve.org/CVERecord?id=CVE-2022-42004