CVE-2022-42003

CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Published Oct 3, 2022

Issue #3590 bugs.chromium.org

CVSS ScoreHigh

7.5

CVE-2022-42003 Security Details

CVE ID: CVE-2022-42003
CWE: CWE-502
CVE Description: In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Published: Oct 3, 2022
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.291%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/fasterxml/jackson/databind/deser/std/DateDeserializers$DateBasedDeserializer._parseDate(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/util/Date;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/FromStringDeserializer.deserialize(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Object;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/NumberDeserializers$BooleanDeserializer._parseBoolean(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Boolean;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/NumberDeserializers$LongDeserializer._parseLong(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Long;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._deserializeWrappedValue(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Object;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseBooleanPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Z
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseBytePrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)B
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseDateFromArray(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/util/Date;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseDoublePrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)D
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseFloatPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)F
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseIntPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)I
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseLongPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)J
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseShortPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)S
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StringDeserializer._deserializeFromArray(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/String;
JVMVulnerable params: 0, 1
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Issue #3590PROJECT
bugs.chromium.orgTHIRD_PARTY

CVE-2022-42003 Security Details

CVE ID: CVE-2022-42003
CWE: CWE-502
CVE Description: In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Published: Oct 3, 2022
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.291%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/fasterxml/jackson/databind/deser/std/DateDeserializers$DateBasedDeserializer._parseDate(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/util/Date;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/FromStringDeserializer.deserialize(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Object;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/NumberDeserializers$BooleanDeserializer._parseBoolean(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Boolean;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/NumberDeserializers$LongDeserializer._parseLong(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Long;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._deserializeWrappedValue(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Object;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseBooleanPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Z
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseBytePrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)B
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseDateFromArray(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/util/Date;
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseDoublePrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)D
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseFloatPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)F
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseIntPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)I
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseLongPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)J
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StdDeserializer._parseShortPrimitive(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)S
JVMVulnerable params: 0, 1
com/fasterxml/jackson/databind/deser/std/StringDeserializer._deserializeFromArray(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/String;
JVMVulnerable params: 0, 1
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Issue #3590PROJECT
bugs.chromium.orgTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2022-42003

CVE-2022-42003 Security Details

CVE-2022-42003 Security Details