OESA-2023-1921
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1921
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2023-1921.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2023-1921
- Upstream
- Published
- 2023-12-15T11:06:29Z
- Modified
- 2025-08-12T05:06:36.398425Z
- Summary
- jackson-databind security update
- Details
-
The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.
Security Fix(es):
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.(CVE-2020-36518)
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1(CVE-2022-42003)
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.(CVE-2022-42004)
- Database specific
{ "severity": "High" }- References
Affected packages
openEuler:20.03-LTS-SP1 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:rpm/openEuler/jackson-databind&distro=openEuler-20.03-LTS-SP1
openEuler:20.03-LTS-SP3 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:rpm/openEuler/jackson-databind&distro=openEuler-20.03-LTS-SP3
openEuler:22.03-LTS / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:rpm/openEuler/jackson-databind&distro=openEuler-22.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.9.8-10.oe2203sp2
Ecosystem specific
{
"src": [
"jackson-databind-2.9.8-10.oe2203.src.rpm",
"jackson-databind-2.9.8-10.oe2203sp1.src.rpm",
"jackson-databind-2.9.8-10.oe2203sp2.src.rpm"
],
"noarch": [
"jackson-databind-javadoc-2.9.8-10.oe2203.noarch.rpm",
"jackson-databind-2.9.8-10.oe2203.noarch.rpm",
"jackson-databind-2.9.8-10.oe2203sp1.noarch.rpm",
"jackson-databind-javadoc-2.9.8-10.oe2203sp1.noarch.rpm",
"jackson-databind-javadoc-2.9.8-10.oe2203sp2.noarch.rpm",
"jackson-databind-2.9.8-10.oe2203sp2.noarch.rpm"
]
}
openEuler:22.03-LTS-SP1 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:rpm/openEuler/jackson-databind&distro=openEuler-22.03-LTS-SP1