CVE-2022-42003

About vulnerability

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Affected product:

Apache Hadoop , Apache Hive , Apache Kafka , Apache Spark , Apache Struts , Hibernate , Jackson , Spring , Wildfly , accumulo , activemq , agepredictor , avro , aws-sdk-java , calcite , cas-client-core , couchbase-jvm-clients , cxf , elasticsearch , gradle , hazelcast , hbase , http-client , incubator-retired-htrace , java-cas-client , java-driver , json-schema-validator , kubernetes-client , logging-log4j2 , lucene , parquet-java , smallrye-open-api , solr , swagger-core , swagger-jaxrs2 , tika , tinkerpop , wildfly

Affected packages:

spring-boot-devtools @ 2.7.18 (+2338 more)

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.