High severityNVD Advisory· Published Oct 2, 2022· Updated Aug 3, 2024
CVE-2022-42003
CVE-2022-42003
Description
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.4.0-rc1, < 2.12.7.1 | 2.12.7.1 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.13.0, < 2.13.4.2 | 2.13.4.2 |
Affected products
50- osv-coords49 versionspkg:apk/chainguard/cassandra-5.0pkg:apk/chainguard/cassandra-5.0-compatpkg:apk/chainguard/cassandra-5.0-entrypoint-compatpkg:apk/chainguard/cassandra-5.0-iamguarded-compatpkg:apk/chainguard/cassandra-fips-5.0pkg:apk/chainguard/cassandra-fips-5.0-compatpkg:apk/chainguard/cassandra-reaperpkg:apk/chainguard/cqlsh-5.0pkg:apk/chainguard/cqlsh-fips-5.0pkg:apk/chainguard/druidpkg:apk/chainguard/druid-compatpkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.0-compatpkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/management-api-for-apache-cassandra-5.0-compatpkg:apk/chainguard/request-1277pkg:apk/chainguard/scala-3.8pkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/wolfi/cassandra-5.0pkg:apk/wolfi/cassandra-5.0-compatpkg:apk/wolfi/cassandra-5.0-entrypoint-compatpkg:apk/wolfi/cassandra-5.0-iamguarded-compatpkg:apk/wolfi/cassandra-reaperpkg:apk/wolfi/cqlsh-5.0pkg:apk/wolfi/druidpkg:apk/wolfi/druid-compatpkg:apk/wolfi/management-api-for-apache-cassandra-4.1pkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/management-api-for-apache-cassandra-5.0-compatpkg:apk/wolfi/scala-3.8pkg:apk/wolfi/spark-3.5-scala-2.13pkg:maven/com.fasterxml.jackson.core/jackson-databindpkg:rpm/opensuse/jackson-databind&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-databind&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/java-jwt&distro=openSUSE%20Tumbleweedpkg:rpm/suse/jackson-databind&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Server%20Module%204.3
< 5.0.3-r2+ 48 more
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.109-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 3.8.4-r1
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.1.109-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 3.8.4-r1
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: >= 2.4.0-rc1, < 2.12.7.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 4.4.0-1.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
Patches
Vulnerability mechanics
References
19- github.com/advisories/GHSA-jjjh-jjxp-wpffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-42003ghsaADVISORY
- security.gentoo.org/glsa/202210-21ghsavendor-advisoryWEB
- www.debian.org/security/2022/dsa-5283ghsavendor-advisoryWEB
- bugs.chromium.org/p/oss-fuzz/issues/detailghsaWEB
- github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.xghsaWEB
- github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1ghsaWEB
- github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288ghsaWEB
- github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdcghsaWEB
- github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deeaghsaWEB
- github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45ghsaWEB
- github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33ghsaWEB
- github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1ghsaWEB
- github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2ghsaWEB
- github.com/FasterXML/jackson-databind/issues/3590ghsaWEB
- github.com/FasterXML/jackson-databind/issues/3627ghsaWEB
- lists.debian.org/debian-lts-announce/2022/11/msg00035.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20221124-0004ghsaWEB
- security.netapp.com/advisory/ntap-20221124-0004/mitre
News mentions
0No linked articles in our index yet.