CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
fasterxmljackson-databind
𝑥
< 2.12.7.1
fasterxmljackson-databind
2.13.0 ≤
𝑥
< 2.13.4
quarkusquarkus
𝑥
< 2.13.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netapponcommand_workflow_automation
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackson-databind
bullseye (security)
2.12.1-1+deb11u1
fixed
bullseye
2.12.1-1+deb11u1
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
bookworm
2.14.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackson-databind
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
https://github.com/FasterXML/jackson-databind/issues/3582
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.gentoo.org/glsa/202210-21
https://security.netapp.com/advisory/ntap-20221118-0008/
https://www.debian.org/security/2022/dsa-5283
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
https://github.com/FasterXML/jackson-databind/issues/3582
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.gentoo.org/glsa/202210-21
https://security.netapp.com/advisory/ntap-20221118-0008/
https://www.debian.org/security/2022/dsa-5283