CVE-2022-42003 - Denial of Service (DoS)

Severity: None2022-12-14

Security Advisories

Abstract

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v25.0 and olderNone N/A
Oxygen XML Developer v25.0 and olderNone N/A
Oxygen XML Editor v25.0 and olderNone N/A
Oxygen XML Web Author v25.0.0 and olderNone N/A
Oxygen Content Fusion v5.0.1 and olderNone Oxygen Content Fusion 5.0.2 build 2022121305
Oxygen Publishing Engine v25.0 and olderNone Oxygen Publishing Engine 25.0 build 2022121304
Oxygen Feedback v2.1.3 and olderNone Oxygen Feedback 2.1.4 build 2022111716

Mitigation

None

Detail

CVE-2022-42003

Severity: High

CVSS Score: 7.5

The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42003 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.

List of Security Advisories