GHSA-jjjh-jjxp-wpff

Suggest an improvement
Source
https://github.com/advisories/GHSA-jjjh-jjxp-wpff
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jjjh-jjxp-wpff
Aliases
Related
Published
2022-10-03T00:00:31Z
Modified
2024-10-22T05:28:54.705123Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Uncontrolled Resource Consumption in Jackson-databind
Details

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.

Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.

The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures

Database specific
{
    "nvd_published_at": "2022-10-02T05:15:00Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-04T21:55:46Z"
}
References

Affected packages

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0-rc1
Fixed
2.12.7.1

Affected versions

2.*

2.4.0-rc1
2.4.0-rc2
2.4.0-rc3
2.4.0
2.4.1
2.4.1.1
2.4.1.2
2.4.1.3
2.4.2
2.4.3
2.4.4
2.4.5
2.4.5.1
2.4.6
2.4.6.1
2.5.0-rc1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.7.1
2.6.7.2
2.6.7.3
2.6.7.4
2.6.7.5
2.7.0-rc1
2.7.0-rc2
2.7.0-rc3
2.7.0
2.7.1
2.7.1-1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.9.1
2.7.9.2
2.7.9.3
2.7.9.4
2.7.9.5
2.7.9.6
2.7.9.7
2.8.0.rc1
2.8.0.rc2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.8.1
2.8.9
2.8.10
2.8.11
2.8.11.1
2.8.11.2
2.8.11.3
2.8.11.4
2.8.11.5
2.8.11.6
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.9.1
2.9.9.2
2.9.9.3
2.9.10
2.9.10.1
2.9.10.2
2.9.10.3
2.9.10.4
2.9.10.5
2.9.10.6
2.9.10.7
2.9.10.8
2.10.0
2.10.0.pr1
2.10.0.pr2
2.10.0.pr3
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.5.1
2.11.0.rc1
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0-rc1
2.12.0-rc2
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.12.6.1
2.12.7

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.13.0
Fixed
2.13.4.2

Affected versions

2.*

2.13.0
2.13.1
2.13.2
2.13.2.1
2.13.2.2
2.13.3
2.13.4
2.13.4.1