In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
{ "vanir_signatures": [ { "digest": { "function_hash": "41769431809239043105801363456361677444", "length": 185.0 }, "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-42004-177dace2", "target": { "file": "src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java", "function": "testArrayWrapping" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "196164083740776567542182345255946541246", "10894080426655518553889929861642900518", "285497585603973688824816331635642080195", "262177914682987543292938895227102793127", "298595790872575652501042383929196324002", "241994611638143361585567038240044388292", "117393818864618325195207991637520669061", "116477719100725734768123961861805342497" ] }, "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-42004-b1166048", "target": { "file": "src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java" } }, { "digest": { "function_hash": "187973000674063989520344797230644815276", "length": 1020.0 }, "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-42004-c3275b0f", "target": { "file": "src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java", "function": "_deserializeFromArray" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "245221408806661661172976987552565576740", "115491996422398475562653924543632969622", "197858643989875646646709426998135342701", "114682010537655789279734069001341491122", "243574317414497553732521057942017015043", "210943436520935603188072514743451616414", "147521676498244637025003553143775234557", "96474537145626447436069197675871989278", "204985837386903992552570727398208016156", "113606183479390725392659529307859487808" ] }, "source": "https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-42004-e3af9805", "target": { "file": "src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java" } } ] }