Uncontrolled Resource Consumption in Jackson-databind
High severity
GitHub Reviewed
Published
Oct 3, 2022
to the GitHub Advisory Database
•
Updated Mar 15, 2024
Package
Affected versions
>= 2.4.0-rc1, < 2.12.7.1
>= 2.13.0, < 2.13.4.2
Patched versions
2.12.7.1
2.13.4.2
Description
Published by the National Vulnerability Database
Oct 2, 2022
Published to the GitHub Advisory Database
Oct 3, 2022
Reviewed
Oct 4, 2022
Last updated
Mar 15, 2024
In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.
Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.
Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.
References