{"id":"CVE-2022-42003","details":"In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.","aliases":["GHSA-jjjh-jjxp-wpff"],"modified":"2026-04-02T08:19:25.224290Z","published":"2022-10-02T05:15:09.070Z","related":["CGA-233h-qqvf-w294","MGASA-2024-0069","SUSE-SU-2022:3995-1","openSUSE-SU-2024:12412-1","openSUSE-SU-2024:14395-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221124-0004/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5283"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-21"},{"type":"REPORT","url":"https://github.com/FasterXML/jackson-databind/issues/3590"},{"type":"FIX","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fasterxml/jackson-databind","events":[{"introduced":"0"},{"fixed":"ea6f3d4b05dde564a1a5013dd34467d676072afa"},{"introduced":"70c5dfbd52410d99d36181072711125ac5240a15"},{"fixed":"19e6b6fbcfd4105dc6365928ebc2f07da61e78c5"},{"introduced":"0"},{"fixed":"bfe08f8178f028a71bc25bf68a8f690d0e484d9e"},{"fixed":"d78d00ee7b5245b93103fef3187f70543d67ca33"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.12.7.1"},{"introduced":"2.13.0"},{"fixed":"2.13.4.1"},{"introduced":"0"},{"fixed":"2.13.3"}]}}],"versions":["2.2.0c","2.6.0-rc3b","jackson-databind-2.0.0","jackson-databind-2.0.0-RC1","jackson-databind-2.0.0-RC2","jackson-databind-2.0.0-RC3","jackson-databind-2.0.1","jackson-databind-2.0.2","jackson-databind-2.0.4","jackson-databind-2.0.5","jackson-databind-2.0.6","jackson-databind-2.1.0","jackson-databind-2.1.1","jackson-databind-2.1.2","jackson-databind-2.1.3","jackson-databind-2.1.4","jackson-databind-2.1.5","jackson-databind-2.10.0","jackson-databind-2.10.0.pr1","jackson-databind-2.10.0.pr2","jackson-databind-2.10.0.pr3","jackson-databind-2.10.1","jackson-databind-2.10.2","jackson-databind-2.10.3","jackson-databind-2.10.4","jackson-databind-2.10.5","jackson-databind-2.10.5.1","jackson-databind-2.11.0","jackson-databind-2.11.0.rc1","jackson-databind-2.11.1","jackson-databind-2.11.2","jackson-databind-2.11.3","jackson-databind-2.11.4","jackson-databind-2.12.0","jackson-databind-2.12.0-rc1","jackson-databind-2.12.0-rc2","jackson-databind-2.12.1","jackson-databind-2.12.2","jackson-databind-2.12.3","jackson-databind-2.12.4","jackson-databind-2.12.5","jackson-databind-2.12.6","jackson-databind-2.12.6.1","jackson-databind-2.12.7","jackson-databind-2.13.0","jackson-databind-2.13.0-rc1","jackson-databind-2.13.0-rc2","jackson-databind-2.13.1","jackson-databind-2.13.2","jackson-databind-2.13.2.1","jackson-databind-2.13.2.2","jackson-databind-2.2.0","jackson-databind-2.2.0-rc1","jackson-databind-2.2.1","jackson-databind-2.2.2","jackson-databind-2.2.3","jackson-databind-2.2.4","jackson-databind-2.3.0","jackson-databind-2.3.0-rc1","jackson-databind-2.3.1","jackson-databind-2.3.2","jackson-databind-2.3.3","jackson-databind-2.3.4","jackson-databind-2.3.5","jackson-databind-2.4.0","jackson-databind-2.4.0-rc1","jackson-databind-2.4.0-rc2","jackson-databind-2.4.0-rc3","jackson-databind-2.4.1","jackson-databind-2.4.1.1","jackson-databind-2.4.1.2","jackson-databind-2.4.1.3","jackson-databind-2.4.2","jackson-databind-2.4.3","jackson-databind-2.4.4","jackson-databind-2.4.5","jackson-databind-2.4.5.1","jackson-databind-2.4.6","jackson-databind-2.4.6.1","jackson-databind-2.5.0","jackson-databind-2.5.0-rc1","jackson-databind-2.5.1","jackson-databind-2.5.2","jackson-databind-2.5.3","jackson-databind-2.5.4","jackson-databind-2.5.5","jackson-databind-2.6.0","jackson-databind-2.6.0-rc1","jackson-databind-2.6.0-rc2","jackson-databind-2.6.0-rc4","jackson-databind-2.6.1","jackson-databind-2.6.2","jackson-databind-2.6.3","jackson-databind-2.6.4","jackson-databind-2.6.5","jackson-databind-2.6.6","jackson-databind-2.6.7","jackson-databind-2.6.7.1","jackson-databind-2.6.7.2","jackson-databind-2.6.7.3","jackson-databind-2.6.7.4","jackson-databind-2.6.7.5","jackson-databind-2.7.0","jackson-databind-2.7.0-rc1","jackson-databind-2.7.0-rc2","jackson-databind-2.7.0-rc3","jackson-databind-2.7.1","jackson-databind-2.7.1-1","jackson-databind-2.7.2","jackson-databind-2.7.3","jackson-databind-2.7.4","jackson-databind-2.7.5","jackson-databind-2.7.6","jackson-databind-2.7.7","jackson-databind-2.7.8","jackson-databind-2.7.9","jackson-databind-2.7.9.1","jackson-databind-2.7.9.2","jackson-databind-2.7.9.3","jackson-databind-2.7.9.4","jackson-databind-2.7.9.5","jackson-databind-2.7.9.6","jackson-databind-2.7.9.7","jackson-databind-2.8.0","jackson-databind-2.8.1","jackson-databind-2.8.10","jackson-databind-2.8.11","jackson-databind-2.8.11.1","jackson-databind-2.8.11.2","jackson-databind-2.8.11.3","jackson-databind-2.8.11.4","jackson-databind-2.8.11.5","jackson-databind-2.8.11.6","jackson-databind-2.8.2","jackson-databind-2.8.3","jackson-databind-2.8.4","jackson-databind-2.8.5","jackson-databind-2.8.6","jackson-databind-2.8.7","jackson-databind-2.8.8","jackson-databind-2.8.8.1","jackson-databind-2.8.9","jackson-databind-2.9.0","jackson-databind-2.9.0.pr1","jackson-databind-2.9.0.pr2","jackson-databind-2.9.0.pr3","jackson-databind-2.9.0.pr4","jackson-databind-2.9.1","jackson-databind-2.9.10","jackson-databind-2.9.10.1","jackson-databind-2.9.10.2","jackson-databind-2.9.10.3","jackson-databind-2.9.10.4","jackson-databind-2.9.10.5","jackson-databind-2.9.10.6","jackson-databind-2.9.10.7","jackson-databind-2.9.10.8","jackson-databind-2.9.2","jackson-databind-2.9.3","jackson-databind-2.9.4","jackson-databind-2.9.5","jackson-databind-2.9.6","jackson-databind-2.9.7","jackson-databind-2.9.8","jackson-databind-2.9.9","jackson-databind-2.9.9.1","jackson-databind-2.9.9.2","jackson-databind-2.9.9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42003.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"vanir_signatures":[{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseDateFromArray"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-0186158a","digest":{"function_hash":"55137452319108694706482285745217617530","length":662},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseDoublePrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-386e2b7a","digest":{"function_hash":"47721020587547126202446523876033959038","length":1357},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseIntPrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-58353f7f","digest":{"function_hash":"206540345752999551857275354278098542511","length":1280},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseFloatPrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-6953ec82","digest":{"function_hash":"281275484382631426376540227810656326634","length":1352},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseBytePrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-79e8d198","digest":{"function_hash":"135478626391291231095018157136329113765","length":1662},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseShortPrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-9718ec5c","digest":{"function_hash":"223055644582907238639488940967862329779","length":1666},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_deserializeWrappedValue"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-ac1d1511","digest":{"function_hash":"270913776082561270937780172546158092571","length":559},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseLongPrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-ae52424e","digest":{"function_hash":"192313351096101983191506739265478515641","length":1274},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Line","id":"CVE-2022-42003-d4eba547","digest":{"threshold":0.9,"line_hashes":["187511702417318075088615199580365123083","171169106898272220752629563926196098962","150150120888474060006439263453847607586","278377087569584579382488064867174273902","68485079210258809759924195753443066027","150526317829052031114157955728720405051","171050482290259180972106012076516879653","55278627082560370506254892100768999380","44635266750468391322160524947826223926","52366394905964938253101698138283483707","103608730656823114944539280483604385345","107420883513953212602315834205907843964","137096913219287255149862401980951293790","52366394905964938253101698138283483707","304921270989571588141271522900336433317","316090080486845987421185064110993753952","337369675000051409608881544398995394352","52366394905964938253101698138283483707","198468286742088697922062587192951955495","135509450364336026895713661516662488364","136750278881149792215341503933938893525","52366394905964938253101698138283483707","319148903488428736266780308179310066412","131431545397128131509940293565692208685","42231487023768064643392472225658318289","52366394905964938253101698138283483707","197510294261582691528402512321329507399","139056194678482280507601557356524108982","327097463320694303410555973016174405694","52366394905964938253101698138283483707","7370891766700987213773116432973083125","284928217820157852072373395022562162415","296742389320967241727525604209727486885","52366394905964938253101698138283483707","247463767653475068543991721634745355060","209039258600155260051562415803609984341","336807441345153426732241512838299090052","144478078437557099183768286811152596338","57109704126805064372356840063810054920","82128203077953132336543396852093847974","258288701301954296117428434822529221568","286168596985988661043798144926634974261","231627223105871444847306047842254007041","21843859667944622968642714575778067374"]},"deprecated":false},{"signature_version":"v1","target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java","function":"_parseBooleanPrimitive"},"source":"https://github.com/fasterxml/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33","signature_type":"Function","id":"CVE-2022-42003-eb276efa","digest":{"function_hash":"205053904232140672784182435672520456004","length":1525},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}