MAGEIA-2024-69
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. (CVE-2020-36518) In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. (CVE-2022-42003) In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. (CVE-2022-42004)
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mageia | jackson-databind | 0, 2.11.4-2.1.mga9, 0 |
| Salesforce | flow | |
| Mageia | neovim | 0, 0.9.5-1.mga9 |
Timeline
- Feb 23, 2024 CVE Published
- Mar 16, 2024 CVE Updated
- Mar 17, 2026 Distribution Patch
- Mar 17, 2026 Distribution Patch
- Mar 17, 2026 Security Advisory
- Mar 17, 2026 Security Advisory
References
- Updated jackson-databind packages fix security vulnerabilities advisory
- Updated jackson-databind packages fix security vulnerabilities issue
- Updated jackson-databind packages fix security vulnerabilities issue
- Updated jackson-databind packages fix security vulnerabilities issue
- Updated jackson-databind packages fix security vulnerabilities issue
- Updated jackson-databind packages fix security vulnerabilities issue
- Updated jackson-databind packages fix security vulnerabilities advisory
- Updated jackson-databind packages fix security vulnerabilities advisory
- Updated jackson-databind packages fix security vulnerabilities advisory
- Updated jackson-databind packages fix security vulnerabilities advisory
- Updated packages fix issue
- Updated packages fix advisory