[GHSA-jjjh-jjxp-wpff] Uncontrolled Resource Consumption in Jackson-databind

[sunSUNQ]

Updates

• References

Comments
Hi I only found three patch is related to CVE-2022-42003.
FasterXML/jackson-databind@2c4a601 FasterXML/jackson-databind@cd09097 FasterXML/jackson-databind@d78d00e
the other commit I do not think they are patches for this CVE.

[shelbyc]

Hi @sunSUNQ, you are correct that FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5 are not patches for CVE-2022-42003.

FasterXML/jackson-databind@d499f2e and FasterXML/jackson-databind@0e37a39 are the commits that introduced the UNWRAP_SINGLE_VALUE_ARRAYS deserialization feature that was affected by CVE-2022-42003.

FasterXML/jackson-databind@7ba9ac5 introduces vulnerable code that was fixed in the patch. Compare FasterXML/jackson-databind@d78d00e#diff-416896884d1e0706562f38c160757ff53196c441ce86a4ca49923f7aebad6a36 lines 357-368 with FasterXML/jackson-databind@7ba9ac5#diff-416896884d1e0706562f38c160757ff53196c441ce86a4ca49923f7aebad6a36 lines 245-255.

I have added FasterXML/jackson-databind@2c4a601 as a reference link and added explanations of the commits that introduced vulnerable code and the commits that fixed vulnerable code to the description.

[advisory-database]

Hi @sunSUNQ! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!