CVE-2022-42004: Uncontrolled Resource Consumption in FasterXML jackson-databind
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44626%
CWE
Published
10/3/2022
Updated
12/2/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.fasterxml.jackson.core:jackson-databind | maven | < 2.12.7.1 | 2.12.7.1 |
| com.fasterxml.jackson.core:jackson-databind | maven | >= 2.13.0, < 2.13.4 | 2.13.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from BeanDeserializer._deserializeFromArray's handling of array unwrapping. The commit diff shows a critical addition: a check for subsequent START_ARRAY tokens after initial array unwrapping. Prior to the patch, this function would recursively process nested arrays without depth validation when UNWRAP_SINGLE_VALUE_ARRAYS was enabled, leading to stack overflows or memory exhaustion. The test case modifications and CVE description explicitly reference this function as the attack vector. Other components like StdDeserializer were patched for similar issues in related CVEs (CVE-2022-42003), but this specific CVE-2022-42004 is tied to the BeanDeserializer implementation.