GHSA-jjjh-jjxp-wpff

Source

https://github.com/advisories/GHSA-jjjh-jjxp-wpff

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json

Aliases

CVE-2022-42003

Published

2022-10-03T00:00:31Z

Modified

2024-03-15T00:32:17.508790Z

Details

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.

Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.

References

Affected packages

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0-rc1

Fixed

2.12.7.1

Affected versions

2.*

2.4.0-rc1

2.4.0-rc2

2.4.0-rc3

2.4.0

2.4.1

2.4.1.1

2.4.1.2

2.4.1.3

2.4.2

2.4.3

2.4.4

2.4.5

2.4.5.1

2.4.6

2.4.6.1

2.5.0-rc1

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0-rc1

2.6.0-rc2

2.6.0-rc3

2.6.0-rc4

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.7.1

2.6.7.2

2.6.7.3

2.6.7.4

2.6.7.5

2.7.0-rc1

2.7.0-rc2

2.7.0-rc3

2.7.0

2.7.1

2.7.1-1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.9.1

2.7.9.2

2.7.9.3

2.7.9.4

2.7.9.5

2.7.9.6

2.7.9.7

2.8.0.rc1

2.8.0.rc2

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.8.1

2.8.9

2.8.10

2.8.11

2.8.11.1

2.8.11.2

2.8.11.3

2.8.11.4

2.8.11.5

2.8.11.6

2.9.0

2.9.0.pr1

2.9.0.pr2

2.9.0.pr3

2.9.0.pr4

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.9.1

2.9.9.2

2.9.9.3

2.9.10

2.9.10.1

2.9.10.2

2.9.10.3

2.9.10.4

2.9.10.5

2.9.10.6

2.9.10.7

2.9.10.8

2.10.0

2.10.0.pr1

2.10.0.pr2

2.10.0.pr3

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.5.1

2.11.0.rc1

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0-rc1

2.12.0-rc2

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.12.6.1

2.12.7

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.13.0

Fixed

2.13.4.2

Affected versions

2.*

2.13.0

2.13.1

2.13.2

2.13.2.1

2.13.2.2

2.13.3

2.13.4

2.13.4.1