security.snyk.io Open in urlscan Pro
2600:1408:ac00:29a::ecd  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Developer Tools
 * Snyk Learn
 * Snyk Advisor
 * Code Checker

About Snyk
 1. Snyk Vulnerability Database
 2. Maven
 3. com.fasterxml.jackson.core:jackson-databind




DENIAL OF SERVICE (DOS) AFFECTING COM.FASTERXML.JACKSON.CORE:JACKSON-DATABIND
PACKAGE, VERSIONS [2.4.0,2.12.7.1) [2.13.0,2.13.4)

--------------------------------------------------------------------------------

SEVERITY

Recommended
5.9
medium
0
10

CVSS ASSESSMENT MADE BY SNYK'S SECURITY TEAM

Learn more


THREAT INTELLIGENCE


Exploit Maturity
Proof of concept
EPSS
0.26% (67th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components
are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Denial of Service (DoS) vulnerabilities in an interactive lesson.

Start learning
 * Snyk ID SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424
 * published 2 Oct 2022
 * disclosed 1 Oct 2022
 * credit Unknown

Report a new vulnerability Found a mistake?

INTRODUCED: 1 OCT 2022

CVE-2022-42004 Open this link in a new tab

CWE-400 Open this link in a new tab

Share



HOW TO FIX?

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.7.1, 2.13.4
or higher.


OVERVIEW

com.fasterxml.jackson.core:jackson-databind is a library which contains the
general-purpose data-binding functionality and tree-model for Jackson Data
Processor.

Affected versions of this package are vulnerable to Denial of Service (DoS) in
the _deserializeFromArray() function in BeanDeserializer, due to resource
exhaustion when processing a deeply nested array.

NOTE: For this vulnerability to be exploitable the non-default
DeserializationFeature must be enabled.


DETAILS

Denial of Service (DoS) describes a family of attacks, all aimed at making a
system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching
security. Rather, they are focused on making websites and services unavailable
to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of
Service), an attack that attempts to clog network pipes to the system by
generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to
trigger such a crash or crippling of the service by using a flaw either in the
application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

 * High CPU/Memory Consumption- An attacker sending crafted requests that could
   cause the system to take a disproportionate amount of time to process. For
   example, commons-fileupload:commons-fileupload.

 * Crash - An attacker sending crafted requests that could cause the system to
   crash. For Example, npm ws package


REFERENCES

 * Chromium Bugs
 * GitHub Commit
 * GitHub Commit
 * GitHub Issue


CVSS SCORES

version 3.1
Expand this section


SNYK

5.9 medium
 * Attack Vector (AV)
   Network
 * Attack Complexity (AC)
   High
 * Privileges Required (PR)
   None
 * User Interaction (UI)
   None

 * Scope (S)
   Unchanged

 * Confidentiality (C)
   None
 * Integrity (I)
   None
 * Availability (A)
   High

Expand this section


NVD

7.5 high
Expand this section


SUSE

7.5 high
Expand this section


RED HAT

7.5 high


PRODUCT

 * Snyk Open Source
 * Snyk Code
 * Snyk Container
 * Snyk Infrastructure as Code
 * Test with Github
 * Test with CLI


RESOURCES

 * Vulnerability DB
 * Documentation
 * Disclosed Vulnerabilities
 * Blog
 * FAQs


COMPANY

 * About
 * Jobs
 * Contact
 * Policies
 * Do Not Sell My Personal Information


CONTACT US

 * Support
 * Report a new vuln
 * Press Kit
 * Events


FIND US ONLINE

 * 
 * 
 * 
 * 


TRACK OUR DEVELOPMENT

 * 
 * 



© 2024 Snyk Limited

Registered in England and Wales. Company number: 09677925

Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading,
Berkshire, RG7 1NT.