CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar #182

dev-mend-for-github-com · 2023-07-31T19:44:36Z

CVE-2022-42003 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar

Dependency Hierarchy:

spring-rabbit-1.7.1.RELEASE.jar (Root Library)
- http-client-1.1.1.RELEASE.jar
  - ❌ jackson-databind-2.8.4.jar (Vulnerable Library)

Found in HEAD commit: 2c2c9f752b1dec579a12ba0bcc3d8dab738d7cff

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.validator.UserValidator (Application)
  -> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
   -> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
    -> com.fasterxml.jackson.databind.ser.std.JsonValueSerializer$TypeSerializerRerouter (Extension)
    ...
      -> com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException (Extension)
       -> com.fasterxml.jackson.databind.deser.DefaultDeserializationContext (Extension)
        -> ❌ com.fasterxml.jackson.databind.deser.std.StdDeserializer (Vulnerable Component)

Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

The text was updated successfully, but these errors were encountered:

dev-mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jul 31, 2023

dev-mend-for-github-com bot mentioned this issue Nov 10, 2023

Update dependency org.springframework.amqp:spring-rabbit to v2 - autoclosed #193

Closed

dev-mend-for-github-com bot mentioned this issue Jun 24, 2024

Update dependency org.springframework.amqp:spring-rabbit to v2 #204

Open

1 task

dev-mend-for-github-com bot changed the title ~~CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar~~ CVE-2022-42003 (High) detected in jackson-databind-2.8.4.jar Jan 1, 2025

dev-mend-for-github-com bot changed the title ~~CVE-2022-42003 (High) detected in jackson-databind-2.8.4.jar~~ CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar Jan 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar #182

CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar #182

dev-mend-for-github-com bot commented Jul 31, 2023 •

edited

Loading

CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar #182

CVE-2022-42003 (High, reachable) detected in jackson-databind-2.8.4.jar #182

Comments

dev-mend-for-github-com bot commented Jul 31, 2023 • edited Loading

CVE-2022-42003 - High Severity Vulnerability

dev-mend-for-github-com bot commented Jul 31, 2023 •

edited

Loading