CVE-2022-42004
First published: Sun Oct 02 2022(Updated: )
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jackson-databind | <=2.9.8-3+deb10u3 | 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 |
| redhat/jenkins | <2-plugins-0:4.11.1686831822-1.el8 | 2-plugins-0:4.11.1686831822-1.el8 |
| redhat/jenkins | <2-plugins-0:4.12.1675702407-1.el8 | 2-plugins-0:4.12.1675702407-1.el8 |
| redhat/eap7-jackson-databind | <0:2.12.7-1.redhat_00003.1.el8ea | 0:2.12.7-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-databind | <0:2.12.7-1.redhat_00003.1.el9ea | 0:2.12.7-1.redhat_00003.1.el9ea |
| redhat/eap7-jackson-databind | <0:2.12.7-1.redhat_00003.1.el7ea | 0:2.12.7-1.redhat_00003.1.el7ea |
| redhat/candlepin | <0:4.2.13-1.el8 | 0:4.2.13-1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
| FasterXML jackson-databind | <2.12.7.1 | |
| FasterXML jackson-databind | >=2.13.0<2.13.4 | |
| Quarkus Quarkus | <2.13.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| NetApp OnCommand Workflow Automation | ||
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.13.0<2.13.4 | 2.13.4 |
| maven/com.fasterxml.jackson.core:jackson-databind | <2.12.7.1 | 2.12.7.1 |
| IBM Cognos Command Center | <=10.2.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/FasterXML/jackson-databind/issues/3582
- https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
- https://security-tracker.debian.org/tracker/CVE-2022-42004
- https://www.cve.org/CVERecord?id=CVE-2022-42004 https://nvd.nist.gov/vuln/detail/CVE-2022-42004
- https://bugzilla.redhat.com/show_bug.cgi?id=2135247
- https://access.redhat.com/errata/RHSA-2022:7435
- https://access.redhat.com/errata/RHSA-2023:0471
- https://access.redhat.com/errata/RHSA-2023:3663
- https://access.redhat.com/errata/RHSA-2023:1064
- https://access.redhat.com/errata/RHSA-2022:8889
- https://access.redhat.com/errata/RHSA-2022:8876
- https://access.redhat.com/errata/RHSA-2022:9023
- https://access.redhat.com/errata/RHSA-2023:1006
- https://access.redhat.com/errata/RHSA-2023:0713
- https://access.redhat.com/errata/RHSA-2023:3641
- https://access.redhat.com/errata/RHSA-2023:2100
- https://access.redhat.com/errata/RHSA-2023:0469
- https://access.redhat.com/errata/RHSA-2023:0189
- https://access.redhat.com/errata/RHSA-2023:3223
- https://access.redhat.com/errata/RHSA-2023:0556
- https://access.redhat.com/errata/RHSA-2023:0553
- https://access.redhat.com/errata/RHSA-2023:0554
- https://access.redhat.com/errata/RHSA-2023:0552
- https://access.redhat.com/errata/RHSA-2023:2097
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:1047
- https://access.redhat.com/errata/RHSA-2022:8781
- https://access.redhat.com/errata/RHSA-2023:0264
- https://access.redhat.com/errata/RHSA-2022:9032
- https://access.redhat.com/security/cve/cve-2022-42004
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.gentoo.org/glsa/202210-21
- https://security.netapp.com/advisory/ntap-20221118-0008/
- https://www.debian.org/security/2022/dsa-5283
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2135250
- https://access.redhat.com/errata/RHSA-2023:2135
- https://nvd.nist.gov/vuln/detail/CVE-2022-42004
- https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252
- https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
- https://security.netapp.com/advisory/ntap-20221118-0008
- https://github.com/advisories/GHSA-rgv9-q543-rqg4 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/237660
- https://www.ibm.com/support/pages/node/6983274 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2022:7435
- RHSA-2023:0471
- RHSA-2023:3663
- RHSA-2023:1064
- RHSA-2022:8889
- RHSA-2022:8876
- RHSA-2022:9023
- RHSA-2023:1006
- RHSA-2023:0713
- RHSA-2023:3641
- RHSA-2023:2100
- RHSA-2023:0469
- RHSA-2023:0189
- RHSA-2023:3223
- RHSA-2023:0556
- RHSA-2023:0553
- RHSA-2023:0554
- RHSA-2023:0552
- RHSA-2023:2097
- RHSA-2023:1049
- RHSA-2023:1043
- RHSA-2023:1044
- RHSA-2023:1045
- RHSA-2023:1047
- RHSA-2022:8781
- RHSA-2023:0264
- RHSA-2022:9032
- IBM-6983274
Frequently Asked Questions
What is CVE-2022-42004?
CVE-2022-42004 is a vulnerability in FasterXML jackson-databind that allows an attacker to exhaust system resources due to a lack of a check in BeanDeserializer._deserializeFromArray.
How does CVE-2022-42004 impact an application?
CVE-2022-42004 can impact an application by allowing an attacker to exploit deeply nested arrays, leading to resource exhaustion.
What is the severity of CVE-2022-42004?
CVE-2022-42004 has a severity rating of high (7 out of 10).
How can I fix CVE-2022-42004?
To fix CVE-2022-42004, upgrade to FasterXML jackson-databind version 2.13.4 or later.
Where can I find more information about CVE-2022-42004?
More information about CVE-2022-42004 can be found on the CVE website (https://www.cve.org/CVERecord?id=CVE-2022-42004) and the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2022-42004).
- collector/security-tracker-debian
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-42004
- agent/description
- agent/weakness
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rgv9-q543-rqg4
- collector/github-advisory
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- package-manager/redhat
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.13.0
- vendor/quarkus
- canonical/quarkus quarkus
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/netapp
- canonical/netapp oncommand workflow automation
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos command center
- version/ibm cognos command center/10.2.4.1