CVE-2022-42004

jackson-databind: use of deeply nested arrays

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

En FasterXML jackson-databind versiones anteriores a 2.13.4, el agotamiento de los recursos puede ocurrir debido a una falta de comprobación en BeanDeserializer._deserializeFromArray para impedir el uso de arrays profundamente anidados. Una aplicación es vulnerable sólo con determinadas opciones personalizadas para la deserialización

A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-02 CVE Reserved
2022-10-02 CVE Published
2024-05-23 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (9)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html	Mailing List
https://security.netapp.com/advisory/ntap-20221118-0008	Third Party Advisory

URL	Date	SRC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490	2024-08-03
https://github.com/FasterXML/jackson-databind/issues/3582	2024-08-03

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88	2022-12-02

URL	Date	SRC
https://security.gentoo.org/glsa/202210-21	2022-12-02
https://www.debian.org/security/2022/dsa-5283	2022-12-02
https://access.redhat.com/security/cve/CVE-2022-42004	2023-06-19
https://bugzilla.redhat.com/show_bug.cgi?id=2135247	2023-06-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				< 2.12.7.1 Search vendor "Fasterxml" for product "Jackson-databind" and version " < 2.12.7.1"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.13.0 < 2.13.4 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.13.0 < 2.13.4"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				< 2.13.0 Search vendor "Quarkus" for product "Quarkus" and version " < 2.13.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected