{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "10.0" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "11.0" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2.12.7.1" }, { "introduced": "2.13.0" }, { "fixed": "2.13.4.1" }, { "introduced": "0" }, { "fixed": "2.13.3" } ] }, "events": [ { "introduced": "0" }, { "fixed": "ea6f3d4b05dde564a1a5013dd34467d676072afa" }, { "introduced": "70c5dfbd52410d99d36181072711125ac5240a15" }, { "fixed": "19e6b6fbcfd4105dc6365928ebc2f07da61e78c5" }, { "introduced": "0" }, { "fixed": "bfe08f8178f028a71bc25bf68a8f690d0e484d9e" }, { "fixed": "d78d00ee7b5245b93103fef3187f70543d67ca33" } ], "repo": "https://github.com/fasterxml/jackson-databind", "type": "GIT" } ] } ], "details": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", "id": "CVE-2022-42003", "modified": "2026-04-01T23:08:35.067452743Z", "published": "2022-10-02T05:15:09.070Z", "references": [ { "type": "ADVISORY", "url": "https://security.netapp.com/advisory/ntap-20221124-0004/" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2022/dsa-5283" }, { "type": "ADVISORY", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" }, { "type": "ADVISORY", "url": "https://security.gentoo.org/glsa/202210-21" }, { "type": "REPORT", "url": "https://github.com/FasterXML/jackson-databind/issues/3590" }, { "type": "FIX", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" }, { "type": "FIX", "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }