CVE-2022-42003 - Denial of Service (DoS)
Severity: None2022-12-14
Abstract
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v25.0 and older | None | N/A |
Oxygen XML Developer v25.0 and older | None | N/A |
Oxygen XML Editor v25.0 and older | None | N/A |
Oxygen XML Web Author v25.0.0 and older | None | N/A |
Oxygen Content Fusion v5.0.1 and older | None | Oxygen Content Fusion 5.0.2 build 2022121305 |
Oxygen Publishing Engine v25.0 and older | None | Oxygen Publishing Engine 25.0 build 2022121304 |
Oxygen Feedback v2.1.3 and older | None | Oxygen Feedback 2.1.4 build 2022111716 |
Detail
CVE-2022-42003
Severity: High
CVSS Score: 7.5
The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42003 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.