{"id":"MGASA-2024-0069","summary":"Updated jackson-databind packages fix security vulnerabilities","details":"jackson-databind before 2.13.0 allows a Java StackOverflow exception and\ndenial of service via a large depth of nested objects. (CVE-2020-36518)\nIn FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1,\nresource exhaustion can occur because of a lack of a check in primitive\nvalue deserializers to avoid deep wrapper array nesting, when the\nUNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. (CVE-2022-42003)\nIn FasterXML jackson-databind before 2.13.4, resource exhaustion can\noccur because of a lack of a check in\nBeanDeserializer._deserializeFromArray to prevent use of deeply nested\narrays. An application is vulnerable only with certain customized\nchoices for deserialization. (CVE-2022-42004)\n","modified":"2026-04-16T00:10:22.522512218Z","published":"2024-03-16T16:28:17Z","upstream":["CVE-2020-36518","CVE-2022-42003","CVE-2022-42004"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0069.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30368"},{"type":"WEB","url":"https://www.debian.org/lts/security/2022/dla-2990"},{"type":"WEB","url":"https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTX6HAJ7KVGVZQ6APMA35RM7R7BKVSMB/"},{"type":"WEB","url":"https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934.html"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IQ2OJSME4FMTGEF2CROURE4WDT3DEVB/"},{"type":"WEB","url":"https://www.debian.org/security/2022/dsa-5283"},{"type":"WEB","url":"https://www.debian.org/lts/security/2022/dla-3207"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2023:2312"}],"affected":[{"package":{"name":"jackson-databind","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/jackson-databind?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.11.4-2.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0069.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}