CVE-2022-42003

Summary

CVE	CVE-2022-42003
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-10-02 05:15:00 UTC
Updated	2023-12-20 10:15:00 UTC
Description	In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

Risk And Classification

Problem Types: CWE-502

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Application	Fasterxml	Jackson-databind	All	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Quarkus	Quarkus	All	All	All	All

References

Reference	Source	Link	Tags
Fix #3590 · FasterXML/jackson-databind@d78d00e · GitHub	MISC	github.com
51020 - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail	MISC	bugs.chromium.org
FasterXML jackson-databind: Multiple vulnerabilities (GLSA 202210-21) — Gentoo security	GENTOO	security.gentoo.org
Debian -- Security Information -- DSA-5283-1 jackson-databind	DEBIAN	www.debian.org
Add check in primitive value deserializers to avoid deep wrapper array nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` · Issue #3590 · FasterXML/jackson-databind · GitHub	MISC	github.com
CVE-2022-42003 FasterXML Jackson Databind Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] [DLA 3207-1] jackson-databind security update	MLIST	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

181229 Debian Security Update for jackson-databind (DSA 5283-1)
181250 Debian Security Update for jackson-databind (DLA 3207-1)
184482 Debian Security Update for jackson-databind (CVE-2022-42003)
20317 Oracle Database 21c Critical Patch Update - January 2023
20318 Oracle Database 19c Critical Patch Update - January 2023
20319 Oracle Database 19c Critical OJVM Patch Update - January 2023
241153 Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0554)
241154 Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0552)
241155 Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0553)
241405 Red Hat Update for Satellite 6.13 (RHSA-2023:2097)
284286 Fedora Security Update for fasterxml (FEDORA-2022-6aa833b95f)
377909 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2023)
378429 Oracle Coherence April 2023 Critical Patch Update (CPUAPR2023)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
378990 Atlassian Jira Service Management Data Center and Server Denial of Service (DoS) Vulnerability (JSDSERVER-14749,JSDSERVER-14751,JSDSERVER-14752,JSDSERVER-14753,JSDSERVER-14754,JSDSERVER-14755)
691024 Free Berkeley Software Distribution (FreeBSD) Security Update for cassandra3 (53caf29b-9180-11ed-acbe-b42e991fc52e)
710652 Gentoo Linux FasterXML jackson-databind Multiple Vulnerabilities (GLSA 202210-21)
731325 Atlassian Bamboo Server and Data Center Information Exposure vulnerability (BAM-25152, BAM-25153)
752806 SUSE Enterprise Linux Security Update for jackson-databind (SUSE-SU-2022:3995-1)
960924 Rocky Linux Security Update for Satellite (RLSA-2023:2097)