Vulnerability in jackson-databindIssue date: 14-12-2022
Affects versions: 15.1, 14.7, 13.4
Security Issue ID
Affected Product Version(s)
15.1.4, 14.7.13, 13.4.21 and previous releases.
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 18.104.22.168 and 22.214.171.124
CWE-502 Deserialization of Untrusted Data
- Base Score: HIGH (7.5)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.13 or 13.4.22.