DSA-5283-1 jackson-databind -- jackson-databindID: oval:org.secpod.oval:def:88433 | Date: (C)2023-03-28 (M)2024-01-23 |
Class: PATCH | Family: unix |
Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java. CVE-2020-36518 Java StackOverflow exception and denial of service via a large depth of nested objects. CVE-2022-42003 In FasterXML jackson-databind resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. CVE-2022-42004 In FasterXML jackson-databind resource exhaustion can occur because of a lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Product: |
libjackson2-databind-java |