CVE-2022-42004 - Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Fasterxml	Jackson-databind
Netapp	Oncommand Workflow Automation
Quarkus	Quarkus
Redhat	Amq Broker Amq Streams Camel Quarkus Camel Spring Boot Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Enterprise Bpms Platform Logging Migration Toolkit Runtimes Ocp Tools Openshift Application Runtimes Quarkus Red Hat Single Sign On Rhosemc Satellite

Configuration 1 [-]

OR	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::

Configuration 2 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Logging subsystem for Red Hat OpenShift 5.4
openshift-logging/elasticsearch6-rhel8:v6.8.1-265	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.4.8-11	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-300	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.4.8-3	cpe:/a:redhat:logging:5.4::el8	RHSA-2022:7435	2022-11-16T00:00:00Z
Migration Toolkit for Runtimes 1 on RHEL 8
jackson-databind	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2023:0471	2023-01-26T00:00:00Z
OCP-Tools-4.12-RHEL-8
jenkins-2-plugins-0:4.12.1675702407-1.el8	cpe:/a:redhat:ocp_tools:4.12::el8	RHSA-2023:1064	2023-03-06T00:00:00Z
OpenShift Developer Tools and Services for OCP 4.11
jenkins-2-plugins-0:4.11.1686831822-1.el8	cpe:/a:redhat:ocp_tools:4.11::el8	RHSA-2023:3663	2023-06-19T00:00:00Z
OpenShift Logging 5.3
openshift-logging/elasticsearch6-rhel8:v6.8.1-277	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.3.14-16	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-315	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.3.14-5	cpe:/a:redhat:logging:5.3::el8	RHSA-2022:8889	2022-12-08T00:00:00Z
Red Hat AMQ Broker 7
jackson-databind	cpe:/a:redhat:amq_broker:7	RHSA-2022:8876	2022-12-07T00:00:00Z
Red Hat AMQ Streams 2.3.0
jackson-databind	cpe:/a:redhat:amq_streams:2	RHSA-2023:0189	2023-01-17T00:00:00Z
Red Hat AMQ Streams 2.4.0
	cpe:/a:redhat:amq_streams:2	RHSA-2023:3223	2023-05-18T00:00:00Z
Red Hat build of Eclipse Vert.x 4.3.4
jackson-databind	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:9032	2022-12-15T00:00:00Z
Red Hat build of Quarkus 2.13.5
jackson-databind	cpe:/a:redhat:quarkus:2.13	RHSA-2022:9023	2022-12-14T00:00:00Z
Red Hat build of Quarkus 2.7.7
	cpe:/a:redhat:quarkus:2.7	RHSA-2023:1006	2023-03-08T00:00:00Z
Red Hat Data Grid 8.4.1
jackson-databind	cpe:/a:redhat:jboss_data_grid:8	RHSA-2023:0713	2023-02-09T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
jackson-databind	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2023:0556	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:0553	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:0554	2023-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:0552	2023-01-31T00:00:00Z
Red Hat Satellite 6.13 for RHEL 8
candlepin-0:4.2.13-1.el8sat	cpe:/a:redhat:satellite:6.13::el8	RHSA-2023:2097	2023-05-03T00:00:00Z
Red Hat Single Sign-On 7.0
jackson-databind	cpe:/a:redhat:red_hat_single_sign_on:7.6	RHSA-2023:1049	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2023:1043	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2023:1044	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2023:1045	2023-03-01T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-20	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:1047	2023-03-01T00:00:00Z
RHINT Camel-Q 2.13.2
jackson-databind	cpe:/a:redhat:camel_quarkus:2.13	RHSA-2023:0469	2023-01-26T00:00:00Z
RHINT Camel-Springboot 3.18.3.P2
jackson-databind	cpe:/a:redhat:camel_spring_boot:3.18	RHSA-2023:3641	2023-06-15T00:00:00Z
RHINT Camel-Springboot 3.20.1
jackson-databind	cpe:/a:redhat:camel_spring_boot:3.20.1	RHSA-2023:2100	2023-05-03T00:00:00Z
RHOL-5.5-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-273	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.5.5-14	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-311	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.5.5-2	cpe:/a:redhat:logging:5.5::el8	RHSA-2022:8781	2022-12-08T00:00:00Z
RHOL-5.6-RHEL-8
openshift-logging/elasticsearch6-rhel8:v6.8.1-285	cpe:/a:redhat:logging:5.6::el8	RHSA-2023:0264	2023-01-19T00:00:00Z
RHPAM 7.13.1 async
jackson-databind	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2023:2135	2023-05-04T00:00:00Z

References

Link	Providers
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
https://github.com/FasterXML/jackson-databind/issues/3582
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
https://security.gentoo.org/glsa/202210-21
https://security.netapp.com/advisory/ntap-20221118-0008/
https://www.cve.org/CVERecord?id=CVE-2022-42004
https://www.debian.org/security/2022/dsa-5283

History

Tue, 25 Feb 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-02T00:00:00

Updated: 2024-08-03T12:56:39.182Z

Reserved: 2022-10-02T00:00:00

Link: CVE-2022-42004

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-02T05:15:09.237

Modified: 2024-11-21T07:24:15.277

Link: CVE-2022-42004

Redhat

Severity : Moderate

Publid Date: 2022-10-02T00:00:00Z

Links: CVE-2022-42004 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-42004", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T12:56:39.182Z", "dateReserved": "2022-10-02T00:00:00", "datePublished": "2022-10-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-11-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/FasterXML/jackson-databind/issues/3582"}, {"url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88"}, {"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490"}, {"name": "GLSA-202210-21", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-21"}, {"name": "DSA-5283", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5283"}, {"url": "https://security.netapp.com/advisory/ntap-20221118-0008/"}, {"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:39.182Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/FasterXML/jackson-databind/issues/3582", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", "tags": ["x_transferred"]}, {"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", "tags": ["x_transferred"]}, {"name": "GLSA-202210-21", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-21"}, {"name": "DSA-5283", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5283"}, {"url": "https://security.netapp.com/advisory/ntap-20221118-0008/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "0848F177-1977-4C9C-B91A-7374FF25F335", "versionEndExcluding": "2.12.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BB48E8E-EB2F-46D1-BD98-982FB3528273", "versionEndExcluding": "2.13.4", "versionStartIncluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CA36870-3A63-428D-BC49-4924FF75FAAD", "versionEndExcluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization."}, {"lang": "es", "value": "En FasterXML jackson-databind versiones anteriores a 2.13.4, el agotamiento de los recursos puede ocurrir debido a una falta de comprobaci\u00f3n en BeanDeserializer._deserializeFromArray para impedir el uso de arrays profundamente anidados. Una aplicaci\u00f3n es vulnerable s\u00f3lo con determinadas opciones personalizadas para la deserializaci\u00f3n"}], "id": "CVE-2022-42004", "lastModified": "2024-11-21T07:24:15.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-02T05:15:09.237", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/issues/3582"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-21"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221118-0008/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5283"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/issues/3582"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221118-0008/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5283"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:7435", "cpe": "cpe:/a:redhat:logging:5.4::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-265", "product_name": "Logging subsystem for Red Hat OpenShift 5.4", "release_date": "2022-11-16T00:00:00Z"}, {"advisory": "RHSA-2022:7435", "cpe": "cpe:/a:redhat:logging:5.4::el8", "package": "openshift-logging/elasticsearch-operator-bundle:v5.4.8-11", "product_name": "Logging subsystem for Red Hat OpenShift 5.4", "release_date": "2022-11-16T00:00:00Z"}, {"advisory": "RHSA-2022:7435", "cpe": "cpe:/a:redhat:logging:5.4::el8", "package": "openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-300", "product_name": "Logging subsystem for Red Hat OpenShift 5.4", "release_date": "2022-11-16T00:00:00Z"}, {"advisory": "RHSA-2022:7435", "cpe": "cpe:/a:redhat:logging:5.4::el8", "package": "openshift-logging/elasticsearch-rhel8-operator:v5.4.8-3", "product_name": "Logging subsystem for Red Hat OpenShift 5.4", "release_date": "2022-11-16T00:00:00Z"}, {"advisory": "RHSA-2023:0471", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "jackson-databind", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-01-26T00:00:00Z"}, {"advisory": "RHSA-2023:1064", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1675702407-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-03-06T00:00:00Z"}, {"advisory": "RHSA-2023:3663", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-2-plugins-0:4.11.1686831822-1.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-06-19T00:00:00Z"}, {"advisory": "RHSA-2022:8889", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-277", "product_name": "OpenShift Logging 5.3", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8889", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch-operator-bundle:v5.3.14-16", "product_name": "OpenShift Logging 5.3", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8889", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-315", "product_name": "OpenShift Logging 5.3", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8889", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch-rhel8-operator:v5.3.14-5", "product_name": "OpenShift Logging 5.3", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8876", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "jackson-databind", "product_name": "Red Hat AMQ Broker 7", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:0189", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "jackson-databind", "product_name": "Red Hat AMQ Streams 2.3.0", "release_date": "2023-01-17T00:00:00Z"}, {"advisory": "RHSA-2023:3223", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.4.0", "release_date": "2023-05-18T00:00:00Z"}, {"advisory": "RHSA-2022:9032", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "jackson-databind", "product_name": "Red Hat build of Eclipse Vert.x 4.3.4", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9023", "cpe": "cpe:/a:redhat:quarkus:2.13", "package": "jackson-databind", "product_name": "Red Hat build of Quarkus 2.13.5", "release_date": "2022-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:1006", "cpe": "cpe:/a:redhat:quarkus:2.7", "product_name": "Red Hat build of Quarkus 2.7.7", "release_date": "2023-03-08T00:00:00Z"}, {"advisory": "RHSA-2023:0713", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "jackson-databind", "product_name": "Red Hat Data Grid 8.4.1", "release_date": "2023-02-09T00:00:00Z"}, {"advisory": "RHSA-2023:0556", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:2097", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "package": "candlepin-0:4.2.13-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2023:1049", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package": "jackson-databind", "product_name": "Red Hat Single Sign-On 7.0", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1043", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1044", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1045", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1047", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-20", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:0469", "cpe": "cpe:/a:redhat:camel_quarkus:2.13", "package": "jackson-databind", "product_name": "RHINT Camel-Q 2.13.2", "release_date": "2023-01-26T00:00:00Z"}, {"advisory": "RHSA-2023:3641", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18", "package": "jackson-databind", "product_name": "RHINT Camel-Springboot 3.18.3.P2", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "jackson-databind", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}, {"advisory": "RHSA-2022:8781", "cpe": "cpe:/a:redhat:logging:5.5::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-273", "product_name": "RHOL-5.5-RHEL-8", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8781", "cpe": "cpe:/a:redhat:logging:5.5::el8", "package": "openshift-logging/elasticsearch-operator-bundle:v5.5.5-14", "product_name": "RHOL-5.5-RHEL-8", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8781", "cpe": "cpe:/a:redhat:logging:5.5::el8", "package": "openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-311", "product_name": "RHOL-5.5-RHEL-8", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8781", "cpe": "cpe:/a:redhat:logging:5.5::el8", "package": "openshift-logging/elasticsearch-rhel8-operator:v5.5.5-2", "product_name": "RHOL-5.5-RHEL-8", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2023:0264", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-285", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2023-01-19T00:00:00Z"}, {"advisory": "RHSA-2023:2135", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "jackson-databind", "product_name": "RHPAM 7.13.1 async", "release_date": "2023-05-04T00:00:00Z"}], "bugzilla": {"description": "jackson-databind: use of deeply nested arrays", "id": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization."], "name": "CVE-2022-42004", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat A-MQ Online"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "jackson-databind", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat build of Debezium 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "jackson-databind", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/jackson-databind", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "jackson-databind", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "jackson-databind", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jboss-on", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_2-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_3-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_4-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_5-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "jackson-databind", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/server-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2022-10-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-42004\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-42004"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object