CVE-2022-42003
Published Oct 2, 2022
·Updated
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
Affected Software
69 affected componentsFixes available
redhat/jenkins<2-plugins-0:4.11.1686831822-1.el8
2-plugins-0:4.11.1686831822-1.el8
redhat/jenkins<2-plugins-0:4.12.1675702407-1.el8
2-plugins-0:4.12.1675702407-1.el8
redhat/eap7-jackson-databind<0:2.12.7-1.redhat_00003.1.el8ea
0:2.12.7-1.redhat_00003.1.el8ea
redhat/eap7-jackson-databind<0:2.12.7-1.redhat_00003.1.el9ea
0:2.12.7-1.redhat_00003.1.el9ea
redhat/eap7-jackson-databind<0:2.12.7-1.redhat_00003.1.el7ea
0:2.12.7-1.redhat_00003.1.el7ea
redhat/candlepin<0:4.1.19-1.el7
0:4.1.19-1.el7
redhat/foreman<0:3.1.1.26-1.el7
0:3.1.1.26-1.el7
redhat/satellite<0:6.11.5-1.el7
0:6.11.5-1.el7
redhat/satellite-clone<0:3.1.1-2.el7
0:3.1.1-2.el7
redhat/tfm-pulpcore-python-naya<0:1.1.1-1.1.el7
0:1.1.1-1.1.el7
redhat/tfm-pulpcore-python-pulp-container<0:2.9.9-1.el7
0:2.9.9-1.el7
redhat/tfm-pulpcore-python-pulpcore<0:3.16.15-1.el7
0:3.16.15-1.el7
redhat/tfm-rubygem-actioncable<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-actionmailbox<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-actionmailer<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-actionpack<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-actiontext<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-actionview<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-activejob<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-activemodel<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-activerecord<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-activestorage<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-activesupport<0:6.0.6-1.el7
0:6.0.6-1.el7
redhat/tfm-rubygem-katello<0:4.3.0.52-1.el7
0:4.3.0.52-1.el7
redhat/tfm-rubygem-rails<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/tfm-rubygem-railties<0:6.0.6-2.el7
0:6.0.6-2.el7
redhat/candlepin<0:4.1.19-1.el8
0:4.1.19-1.el8
redhat/foreman<0:3.1.1.26-1.el8
0:3.1.1.26-1.el8
redhat/python-naya<0:1.1.1-1.1.el8
0:1.1.1-1.1.el8
redhat/python-pulp-container<0:2.9.9-1.el8
0:2.9.9-1.el8
redhat/python-pulpcore<0:3.16.15-1.el8
0:3.16.15-1.el8
redhat/rubygem-actioncable<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-actionmailbox<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-actionmailer<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-actionpack<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-actiontext<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-actionview<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-activejob<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-activemodel<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-activerecord<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-activestorage<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-activesupport<0:6.0.6-1.el8
0:6.0.6-1.el8
redhat/rubygem-katello<0:4.3.0.52-1.el8
0:4.3.0.52-1.el8
redhat/rubygem-rails<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/rubygem-railties<0:6.0.6-2.el8
0:6.0.6-2.el8
redhat/satellite<0:6.11.5-1.el8
0:6.11.5-1.el8
redhat/satellite-clone<0:3.1.1-2.el8
0:3.1.1-2.el8
redhat/candlepin<0:4.1.18-1.el8
0:4.1.18-1.el8
redhat/foreman<0:3.3.0.18-1.el8
0:3.3.0.18-1.el8
redhat/python-pulp-container<0:2.10.10-1.el8
0:2.10.10-1.el8
redhat/python-pulpcore<0:3.18.11-1.el8
0:3.18.11-1.el8
redhat/python-pulp-rpm<0:3.18.9-1.el8
0:3.18.9-1.el8
redhat/rubygem-katello<0:4.5.0.22-1.el8
0:4.5.0.22-1.el8
redhat/satellite<0:6.12.1-1.el8
0:6.12.1-1.el8
redhat/satellite-clone<0:3.2.0-2.el8
0:3.2.0-2.el8
redhat/candlepin<0:4.2.13-1.el8
0:4.2.13-1.el8
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
0:18.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el8
0:18.0.6-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el9
0:18.0.6-1.redhat_00001.1.el9
debian/jackson-databind<=2.9.8-3+deb10u3
2.9.8-3+deb10u52.12.1-1+deb11u12.14.0-1
maven/com.fasterxml.jackson.core:jackson-databind>=2.13.0<2.13.4.2
2.13.4.2
maven/com.fasterxml.jackson.core:jackson-databind>=2.4.0-rc1<2.12.7.1
2.12.7.1
fasterxml jackson-databind<2.12.7.1
fasterxml jackson-databind>=2.13.0<2.13.4.1
Quarkus Quarkus<2.13.3
Debian Debian Linux=10.0
Debian Debian Linux=11.0
NetApp OnCommand Workflow Automation
IBM InfoSphere Data Architect<=9.2.1
Remediation
Patch Available
Event History
Oct 2, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Oct 3, 2022
Advisory Published
via GitHub·12:00 AM
Oct 17, 2022
Data Sourced
via Red Hat·06:54 AM
DescriptionSeverityAffected Software
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2022-42003?
CVE-2022-42003 has been assigned a medium severity rating due to its potential for resource exhaustion.
2
How do I fix CVE-2022-42003?
To fix CVE-2022-42003, update to the recommended patched versions of the affected packages.
3
Which versions are affected by CVE-2022-42003?
CVE-2022-42003 affects various versions of FasterXML jackson-databind and other dependent packages up until certain versions.
4
What causes CVE-2022-42003?
CVE-2022-42003 is caused by unchecked primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
5
Is there a workaround for CVE-2022-42003?
Disabling the UNWRAP_SINGLE_VALUE_ARRAYS feature in your application can serve as a temporary workaround for CVE-2022-42003.