The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.
Security Fix(es):
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.(CVE-2020-36518)
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1(CVE-2022-42003)
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.(CVE-2022-42004)
{ "severity": "High" }
{ "src": [ "jackson-databind-2.9.8-10.oe2203.src.rpm", "jackson-databind-2.9.8-10.oe2203sp1.src.rpm", "jackson-databind-2.9.8-10.oe2203sp2.src.rpm" ], "noarch": [ "jackson-databind-javadoc-2.9.8-10.oe2203.noarch.rpm", "jackson-databind-2.9.8-10.oe2203.noarch.rpm", "jackson-databind-2.9.8-10.oe2203sp1.noarch.rpm", "jackson-databind-javadoc-2.9.8-10.oe2203sp1.noarch.rpm", "jackson-databind-javadoc-2.9.8-10.oe2203sp2.noarch.rpm", "jackson-databind-2.9.8-10.oe2203sp2.noarch.rpm" ] }