CVE-2022-42004

FasterXML/jackson-databind
on github

Published

Severity

CVSS v3:
7.5 HIGH
CVSS v2:
N/A

Description

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

References

Configurations

CPE23Version StartVersion EndExact Version
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*n/a2.13.4*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*n/a2.12.7.1*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.13.0 (including)2.13.4*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*n/a2.13.0*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*n/an/a10.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*n/an/a11.0
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*n/an/a-

External Links