CVE-2022-42004

EUVD-2022-7159
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
fasterxmljackson-databind
𝑥
< 2.12.7.1
fasterxmljackson-databind
2.13.0 ≤
𝑥
< 2.13.4
quarkusquarkus
𝑥
< 2.13.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netapponcommand_workflow_automation
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackson-databind
bookworm
2.14.0-1
fixed
bullseye
2.12.1-1+deb11u1
fixed
bullseye (security)
2.12.1-1+deb11u1
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackson-databind
bionic
not-affected
focal
not-affected
jammy
needed
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
https://github.com/FasterXML/jackson-databind/issues/3582
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.gentoo.org/glsa/202210-21
https://security.netapp.com/advisory/ntap-20221118-0008/
https://www.debian.org/security/2022/dsa-5283
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
https://github.com/FasterXML/jackson-databind/issues/3582
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.gentoo.org/glsa/202210-21
https://security.netapp.com/advisory/ntap-20221118-0008/
https://www.debian.org/security/2022/dsa-5283