GHSA-jjjh-jjxp-wpff
- Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
- Aliases
-
- CVE-2022-42003 ( DLA-3207-1, DSA-5283-1, RLSA-2023:2097 )
- Published
- 2022-10-03T00:00:31Z
- Modified
- 2023-04-11T01:35:18.327239Z
- Details
-
In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-42003
- https://github.com/FasterXML/jackson-databind/issues/3590
- https://github.com/FasterXML/jackson-databind/issues/3627
- https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1
- https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc
- https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
- https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45
- https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020
- https://github.com/FasterXML/jackson-databind
- https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x
- https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174&branch=jackson-databind-2.4.0-rc1&qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1
- https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.gentoo.org/glsa/202210-21
- https://security.netapp.com/advisory/ntap-20221124-0004/
- https://www.debian.org/security/2022/dsa-5283
Affected packages
Maven / com.fasterxml.jackson.core:jackson-databind
com.fasterxml.jackson.core:jackson-databind
Affected versions
2.*
2.10.0
2.10.0.pr1
2.10.0.pr2
2.10.0.pr3
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.5.1
2.11.0
2.11.0.rc1
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0
2.12.0-rc1
2.12.0-rc2
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.12.6.1
2.12.7
2.4.0
2.4.0-rc1
2.4.0-rc2
2.4.0-rc3
2.4.1
2.4.1.1
2.4.1.2
2.4.1.3
2.4.2
2.4.3
2.4.4
2.4.5
2.4.5.1
2.4.6
2.4.6.1
2.5.0
2.5.0-rc1
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.7.1
2.6.7.2
2.6.7.3
2.6.7.4
2.6.7.5
2.7.0
2.7.0-rc1
2.7.0-rc2
2.7.0-rc3
2.7.1
2.7.1-1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.9.1
2.7.9.2
2.7.9.3
2.7.9.4
2.7.9.5
2.7.9.6
2.7.9.7
2.8.0
2.8.0.rc1
2.8.0.rc2
2.8.1
2.8.10
2.8.11
2.8.11.1
2.8.11.2
2.8.11.3
2.8.11.4
2.8.11.5
2.8.11.6
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.8.1
2.8.9
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.10
2.9.10.1
2.9.10.2
2.9.10.3
2.9.10.4
2.9.10.5
2.9.10.6
2.9.10.7
2.9.10.8
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.9.1
2.9.9.2
2.9.9.3