advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

[GHSA-rgv9-q543-rqg4] Uncontrolled Resource Consumption in FasterXML jackson-databind

Open SunBK201 opened this issue 1 year ago • 1 comments

Updates

  • Affected products

Comments According to Patch, this vulnerability was introduced from 2.4.0.

SunBK201 avatar Jun 05 '24 14:06 SunBK201

Hi @SunBK201, I have a question about the claim that the vulnerability was introduced in 2.4.0. Did you find that information at https://github.com/FasterXML/jackson-databind/blob/063183589218fec19a9293ed2f17ec53ea80ba88/release-notes/VERSION-2.x#L1885-L1890? I've noticed that https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424 says that the vulnerability was introduced in 2.4.0, but the reference links there contain the same information as the reference links for GHSA-rgv9-q543-rqg4.

I checked https://github.com/FasterXML/jackson-databind/blob/jackson-databind-2.4.0/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java and was unable to find the _deserializeFromArray function in the BeanDeserializer.java file in version 2.4.0.

shelbyc avatar Jun 05 '24 15:06 shelbyc