Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add check in `BeanDeserializer._deserializeFromArray()` to prevent use of deeply nested arrays [CVE-2022-42004]
See original GitHub issueFix included in
- 2.13.4
- 2.12.7.1 micro-patch (jackson-bom 2.12.7.20221012)
(note: found by oss-fuzz, see: https://bugs.chromium.org/p/oss-fuzz/issues)
Currently feature DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS is supported by most types, and deserializers tend to implement support using recursion, effectively allowing multiple nested layers of JSON Arrays to be unwrapped.
This is not a feature to support but just an implementation detail; ideally we should only allow a single JSON Array to wrap a value.
I think I have removed ability for deeper nesting from some other types so there may be some prior art.
Issue Analytics
- State:
- Created a year ago
- Comments:23 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@henryrneh I think it is reasonable to file a CVE for this, although one caveat is that it is only applicable if users enable specific
DeserializationFeatureand not with vanilla (default) setting ofObjectMapper. So that should probably at least be reflect in applicability – I do not have any statistics of how common enabling this feature is but it probably is minority of usage.Big thank you @chadlwilson! I appreciate this and I am sure everyone with a Jackson dependency & sec scanning system does so too. 😃