CVE-2022-42004 - Denial of Service (DoS)

Severity: None2022-12-15

Security Advisories

Abstract

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v25.0 and olderNone N/A
Oxygen XML Developer v25.0 and olderNone N/A
Oxygen XML Editor v25.0 and olderNone N/A
Oxygen XML Web Author v25.0 and olderNone N/A
Oxygen Content Fusion v5.0.1 and olderNone Content Fusion 5.0.2 build 2022121305
Oxygen Feedback v2.1.2 and olderNone Oxygen Feedback 2.1.4 build 2022111716

Mitigation

None

Detail

CVE-2022-42004

Severity: High

CVSS Score: 7.5

The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42004 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor