REDHAT-BUG-2135247
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. https://github.com/FasterXML/jackson-databind/issues/3582 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2135247?
The severity of REDHAT-BUG-2135247 is considered moderate due to the potential for resource exhaustion.
How do I fix REDHAT-BUG-2135247?
To fix REDHAT-BUG-2135247, upgrade FasterXML jackson-databind to version 2.13.4 or later.
Which versions are affected by REDHAT-BUG-2135247?
Versions of FasterXML jackson-databind before 2.13.4 are affected by REDHAT-BUG-2135247.
What causes REDHAT-BUG-2135247?
REDHAT-BUG-2135247 is caused by a lack of checks in the deserialization process for deeply nested arrays.
Is my application vulnerable to REDHAT-BUG-2135247?
Your application is vulnerable to REDHAT-BUG-2135247 only if it uses specific customized choices for deserialization.