CVE-2022-42004 - Denial of Service (DoS)
Severity: None2022-12-15
Abstract
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v25.0 and older | None | N/A |
Oxygen XML Developer v25.0 and older | None | N/A |
Oxygen XML Editor v25.0 and older | None | N/A |
Oxygen XML Web Author v25.0 and older | None | N/A |
Oxygen Content Fusion v5.0.1 and older | None | Content Fusion 5.0.2 build 2022121305 |
Oxygen Feedback v2.1.2 and older | None | Oxygen Feedback 2.1.4 build 2022111716 |
Detail
CVE-2022-42004
Severity: High
CVSS Score: 7.5
The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42004 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen Content Fusion v5.0.2 build 2022121305 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.
Starting with Oxygen Feedback v2.1.4 build 2022111716 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.