CVE-2022-42003

Published: Oct 2, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Affected (6)

Products: Fasterxml: Jackson Databind · Quarkus: Quarkus · Debian: Debian Linux · +1 more

Show all products

Fasterxml: Jackson Databind · Quarkus: Quarkus · Debian: Debian Linux · Netapp: Oncommand Workflow Automation

1 product

Jackson Databind

1 product

1 product

1 product

Oncommand Workflow Automation

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	Before 2.12.7.1
Fasterxml Jackson Databind	From 2.13.0 to 2.13.4.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Quarkus Quarkus	Before 2.13.3

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Workflow Automation	All versions

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (14)

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020

Source: cve@mitre.org

ExploitIssue TrackingMailing ListPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/3590

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202210-21

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221124-0004/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2022/dsa-5283

Source: cve@mitre.org

Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingMailing ListPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/3590

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202210-21

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221124-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2022/dsa-5283

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.