High severityNVD Advisory· Published Oct 2, 2022· Updated Aug 3, 2024
CVE-2022-42004
CVE-2022-42004
Description
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.4.0-rc1, < 2.12.7.1 | 2.12.7.1 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.13.0, < 2.13.4 | 2.13.4 |
Affected products
49(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.13.4
- osv-coords47 versionspkg:apk/chainguard/cassandra-5.0pkg:apk/chainguard/cassandra-5.0-compatpkg:apk/chainguard/cassandra-5.0-entrypoint-compatpkg:apk/chainguard/cassandra-5.0-iamguarded-compatpkg:apk/chainguard/cassandra-fips-5.0pkg:apk/chainguard/cassandra-fips-5.0-compatpkg:apk/chainguard/cassandra-reaperpkg:apk/chainguard/cqlsh-5.0pkg:apk/chainguard/cqlsh-fips-5.0pkg:apk/chainguard/druidpkg:apk/chainguard/druid-compatpkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.0-compatpkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/management-api-for-apache-cassandra-5.0-compatpkg:apk/chainguard/request-1277pkg:apk/chainguard/scala-3.8pkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/wolfi/cassandra-5.0pkg:apk/wolfi/cassandra-5.0-compatpkg:apk/wolfi/cassandra-5.0-entrypoint-compatpkg:apk/wolfi/cassandra-5.0-iamguarded-compatpkg:apk/wolfi/cassandra-reaperpkg:apk/wolfi/cqlsh-5.0pkg:apk/wolfi/druidpkg:apk/wolfi/druid-compatpkg:apk/wolfi/management-api-for-apache-cassandra-4.1pkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/management-api-for-apache-cassandra-5.0-compatpkg:apk/wolfi/scala-3.8pkg:apk/wolfi/spark-3.5-scala-2.13pkg:rpm/opensuse/jackson-databind&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/jackson-databind&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/jackson-databind&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/jackson-databind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/jackson-databind&distro=SUSE%20Manager%20Server%20Module%204.3
< 5.0.3-r2+ 46 more
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.109-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 3.8.4-r1
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 5.0.3-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.1.109-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 0.1.89-r0
- (no CPE)range: < 3.8.4-r1
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
- (no CPE)range: < 2.13.4.2-150200.3.12.1
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-rgv9-q543-rqg4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-42004ghsaADVISORY
- security.gentoo.org/glsa/202210-21ghsavendor-advisoryWEB
- www.debian.org/security/2022/dsa-5283ghsavendor-advisoryWEB
- bugs.chromium.org/p/oss-fuzz/issues/detailghsaWEB
- github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88ghsaWEB
- github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1ghsaWEB
- github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252ghsaWEB
- github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deeaghsaWEB
- github.com/FasterXML/jackson-databind/issues/3582ghsaWEB
- lists.debian.org/debian-lts-announce/2022/11/msg00035.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20221118-0008ghsaWEB
- security.netapp.com/advisory/ntap-20221118-0008/mitre
News mentions
0No linked articles in our index yet.