OESA-2023-1971

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1971
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1971.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1971
Upstream
Published
2023-12-22T11:06:35Z
Modified
2025-08-12T05:06:36.871720Z
Summary
jackson-databind security update
Details

The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.

Security Fix(es):

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.(CVE-2020-36518)

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled.(CVE-2022-42003)

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.(CVE-2022-42004)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / jackson-databind

Package

Name
jackson-databind
Purl
pkg:rpm/openEuler/jackson-databind&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.8-10.oe2003sp4

Ecosystem specific 

{
    "src": [
        "jackson-databind-2.9.8-10.oe2003sp4.src.rpm"
    ],
    "noarch": [
        "jackson-databind-2.9.8-10.oe2003sp4.noarch.rpm",
        "jackson-databind-javadoc-2.9.8-10.oe2003sp4.noarch.rpm"
    ]
}