CVE-2022-42004

Description

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

CVSS Metrics

• v4.0•HIGH•Score: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.25%• Percentile: 48%

Techniques & Countermeasures

• CWE-502•Deserialization of Untrusted Data

  The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

• debian•debian_linux

  10.0 | 11.0

• fasterxml•jackson-databind

  < 2.12.7.1 | ≥ 2.13.0, < 2.13.4

• com.fasterxml.jackson.core•jackson-databind

  < 2.12.7.1 | ≥ 2.4.0-rc1, < 2.12.7.1 | ≥ 2.13.0, < 2.13.4

• netapp•oncommand_workflow_automation

  na

• quarkus•quarkus

  < 2.13.0

References (13)

• https://github.com/FasterXML/jackson-databind/issues/3582
• https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
• https://security.gentoo.org/glsa/202210-21
• https://www.debian.org/security/2022/dsa-5283
• https://security.netapp.com/advisory/ntap-20221118-0008/
• https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-42004
• https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252
• https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
• https://github.com/FasterXML/jackson-databind
• https://security.netapp.com/advisory/ntap-20221118-0008
• https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1