CGA-9vjr-qmvr-wg48
Resource Exhaustion vulnerability in jackson-databind (Maven)
What is CGA-9vjr-qmvr-wg48 About?
This vulnerability is a resource exhaustion issue in FasterXML jackson-databind due to a lack of deep array nesting checks. It can lead to denial of service by consuming excessive resources, and is moderately difficult to exploit as it requires a specific feature to be enabled and crafted input.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.13.0, <2.13.4
- <2.12.7.1
Technical Details
The vulnerability lies within FasterXML jackson-databind, specifically in the BeanDeserializer._deserializeFromArray method. When the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled, the deserializer does not properly limit the depth of nested arrays during processing. An attacker can submit specially crafted JSON input containing a deeply nested array structure. This deep nesting causes the application to consume an inordinate amount of memory or CPU resources during deserialization, eventually leading to resource exhaustion and a denial of service condition.
What is the Impact of CGA-9vjr-qmvr-wg48?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected service unavailable to legitimate users.
What is the Exploitability of CGA-9vjr-qmvr-wg48?
Exploitation of this vulnerability requires controlled input to the application's JSON deserialization functionality. The complexity is moderate due to the prerequisite that the UNWRAP_SINGLE_VALUE_ARRAYS feature must be explicitly enabled in the jackson-databind configuration. No specific authentication or high privileges are required, as the attack typically targets a public-facing API endpoint that accepts JSON input. This is generally a remote attack. The primary risk factor increasing likelihood is an application processing untrusted JSON data with the vulnerable feature enabled, allowing an attacker to craft a payload that triggers the deep nesting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-9vjr-qmvr-wg48?
About the Fix from Resolved Security
The patch prevents nested arrays when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled by explicitly checking for a second [, and throwing an exception if found. This mitigates CVE-2022-42004 by blocking maliciously crafted deep-nested arrays that could otherwise cause a stack overflow or denial of service during deserialization.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.12.7.1 → Upgrade to 2.12.7.1
- com.fasterxml.jackson.core:jackson-databind
- >2.13.0, <2.13.4 → Upgrade to 2.13.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.gentoo.org/glsa/202210-21
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
- https://github.com/FasterXML/jackson-databind/issues/3582
- https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252
- https://nvd.nist.gov/vuln/detail/CVE-2022-42004
- https://www.debian.org/security/2022/dsa-5283
- https://github.com/FasterXML/jackson-databind/issues/3582
- https://github.com/FasterXML/jackson-databind
What are Similar Vulnerabilities to CGA-9vjr-qmvr-wg48?
Similar Vulnerabilities: CVE-2022-42003 , CVE-2023-1370 , CVE-2023-26144 , CVE-2023-25153 , CVE-2022-36944
