Lucene search

GoogleOSV:GHSA-JJJH-JJXP-WPFF

HistoryOct 03, 2022 - 12:00 a.m.

Uncontrolled Resource Consumption in Jackson-databind

2022-10-0300:00:31

Google

osv.dev

229

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.7 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

61.0%

JSON

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are
https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.

Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.

CPENameOperatorVersion
com.fasterxml.jackson.core:jackson-databindeq2.10.0.pr3
com.fasterxml.jackson.core:jackson-databindeq2.6.7.2
com.fasterxml.jackson.core:jackson-databindeq2.9.0
com.fasterxml.jackson.core:jackson-databindeq2.9.0.pr2
com.fasterxml.jackson.core:jackson-databindeq2.8.0.rc1
com.fasterxml.jackson.core:jackson-databindeq2.10.5
com.fasterxml.jackson.core:jackson-databindeq2.7.9.1
com.fasterxml.jackson.core:jackson-databindeq2.6.6
com.fasterxml.jackson.core:jackson-databindeq2.13.0
com.fasterxml.jackson.core:jackson-databindeq2.8.4

Name	Operator	Version
com.fasterxml.jackson.core:jackson-databind	eq	2.10.0.pr3
com.fasterxml.jackson.core:jackson-databind	eq	2.6.7.2
com.fasterxml.jackson.core:jackson-databind	eq	2.9.0
com.fasterxml.jackson.core:jackson-databind	eq	2.9.0.pr2
com.fasterxml.jackson.core:jackson-databind	eq	2.8.0.rc1
com.fasterxml.jackson.core:jackson-databind	eq	2.10.5
com.fasterxml.jackson.core:jackson-databind	eq	2.7.9.1
com.fasterxml.jackson.core:jackson-databind	eq	2.6.6
com.fasterxml.jackson.core:jackson-databind	eq	2.13.0
com.fasterxml.jackson.core:jackson-databind	eq	2.8.4

Rows per page:

1-10 of 1421

References

bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020

github.com/FasterXML/jackson-databind

github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x

github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1

github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288

github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc

github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea

github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45

github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33

github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174&branch=jackson-databind-2.4.0-rc1&qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1

github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2

github.com/FasterXML/jackson-databind/issues/3590

github.com/FasterXML/jackson-databind/issues/3627

lists.debian.org/debian-lts-announce/2022/11/msg00035.html

nvd.nist.gov/vuln/detail/CVE-2022-42003

security.gentoo.org/glsa/202210-21

security.netapp.com/advisory/ntap-20221124-0004

www.debian.org/security/2022/dsa-5283