Resource Exhaustion in FasterXML Jackson Databind
CVE-2022-42004

7.5HIGH

Key Information:

Vendor: Fasterxml
Status: Jackson-databind
Vendor: CVE Published:; 2 October 2022

What is CVE-2022-42004?

A vulnerability exists in FasterXML Jackson Databind prior to version 2.13.4 that may lead to resource exhaustion. This occurs due to the absence of validation in the deserialization process, allowing malicious inputs to utilize deeply nested arrays without checks. Applications that employ specific customized deserialization strategies may be particularly susceptible to this issue, potentially compromising system stability and availability.

References

https://github.com/FasterXML/jackson-databind/issues/3582

https://github.com/FasterXML/jackson-databind/commit/0631...

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 2, 2022
Vulnerability Reserved
Oct 2, 2022

CVE-2022-42004 Data

JSON

Fasterxml

What is CVE-2022-42004?

References

CVSS V3.1

Timeline