Vulnerability in jackson-databind

Issue date: 14-12-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID

SECURITY-399

Affected Product Version(s)

15.1.4, 14.7.13, 13.4.21 and previous releases.

Severity

High

Description

CVE-2022-42003 suppress

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

CWE-502 Deserialization of Untrusted Data

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.13 or 13.4.22.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Vulnerability in jackson-databind