CVE-2022-42004

Published: Oct 2, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Affected (6)

Products: Fasterxml: Jackson Databind · Quarkus: Quarkus · Debian: Debian Linux · +1 more

Show all products

Fasterxml: Jackson Databind · Quarkus: Quarkus · Debian: Debian Linux · Netapp: Oncommand Workflow Automation

1 product

Jackson Databind

1 product

1 product

1 product

Oncommand Workflow Automation

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	Before 2.12.7.1
Fasterxml Jackson Databind	From 2.13.0 to 2.13.4

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Quarkus Quarkus	Before 2.13.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Workflow Automation	All versions

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (14)

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490

Source: cve@mitre.org

ExploitIssue TrackingMailing ListPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/3582

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202210-21

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221118-0008/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2022/dsa-5283

Source: cve@mitre.org

Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingMailing ListPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/3582

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202210-21

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221118-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2022/dsa-5283

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.