CVE-2022-42004

About vulnerability

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Affected product:

Apache Hadoop , Apache Hive , Apache Kafka , Apache Spark , Apache Struts , Hibernate , Jackson , Spring , Wildfly , accumulo , activemq , agepredictor , avro , aws-sdk-java , calcite , cas-client-core , couchbase-jvm-clients , cxf , elasticsearch , gradle , hazelcast , hbase , http-client , incubator-retired-htrace , java-cas-client , java-driver , json-schema-validator , kubernetes-client , logging-log4j2 , lucene , parquet-java , solr , swagger-core , swagger-jaxrs2 , tika , tinkerpop , wildfly

Affected packages:

hive-testutils @ 2.3.9 (+2335 more)

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.