CVE-2022-42004

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-42004
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42004.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-42004
Aliases
Downstream
Related
Published
2022-10-02T05:15:09.237Z
Modified
2026-02-06T22:16:41.420112Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

References

Affected packages

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type
GIT
Repo
https://github.com/fasterxml/jackson-databind
Events
Fixed
063183589218fec19a9293ed2f17ec53ea80ba88
Introduced
70c5dfbd52410d99d36181072711125ac5240a15
Fixed
13cd41d616022f63a0af38db2389de52199cf62c
Fixed
ea6f3d4b05dde564a1a5013dd34467d676072afa

Affected versions

jackson-databind-2.*
jackson-databind-2.12.6
jackson-databind-2.12.6.1
jackson-databind-2.12.7
jackson-databind-2.13.0
jackson-databind-2.13.1
jackson-databind-2.13.2
jackson-databind-2.13.2.1
jackson-databind-2.13.2.2
jackson-databind-2.13.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42004.json"
vanir_signatures 
[
    {
        "id": "CVE-2022-42004-177dace2",
        "signature_type": "Function",
        "digest": {
            "function_hash": "41769431809239043105801363456361677444",
            "length": 185.0
        },
        "signature_version": "v1",
        "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88",
        "target": {
            "function": "testArrayWrapping",
            "file": "src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java"
        },
        "deprecated": false
    },
    {
        "id": "CVE-2022-42004-b1166048",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "196164083740776567542182345255946541246",
                "10894080426655518553889929861642900518",
                "285497585603973688824816331635642080195",
                "262177914682987543292938895227102793127",
                "298595790872575652501042383929196324002",
                "241994611638143361585567038240044388292",
                "117393818864618325195207991637520669061",
                "116477719100725734768123961861805342497"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88",
        "target": {
            "file": "src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java"
        },
        "deprecated": false
    },
    {
        "id": "CVE-2022-42004-c3275b0f",
        "signature_type": "Function",
        "digest": {
            "function_hash": "187973000674063989520344797230644815276",
            "length": 1020.0
        },
        "signature_version": "v1",
        "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88",
        "target": {
            "function": "_deserializeFromArray",
            "file": "src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java"
        },
        "deprecated": false
    },
    {
        "id": "CVE-2022-42004-e3af9805",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "245221408806661661172976987552565576740",
                "115491996422398475562653924543632969622",
                "197858643989875646646709426998135342701",
                "114682010537655789279734069001341491122",
                "243574317414497553732521057942017015043",
                "210943436520935603188072514743451616414",
                "147521676498244637025003553143775234557",
                "96474537145626447436069197675871989278",
                "204985837386903992552570727398208016156",
                "113606183479390725392659529307859487808"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88",
        "target": {
            "file": "src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java"
        },
        "deprecated": false
    }
]

Git / github.com/quarkusio/quarkus

Affected ranges

Type
GIT
Repo
https://github.com/quarkusio/quarkus
Events
Introduced
e37be4694aaef028733802065212f954dc4d408d
Fixed
8cf9bdc360d16d44b060f8e4d85c1759acb5853c

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42004.json"