From 2f574fd168ac3bda8256b1a9b3fc13e471b4af9e Mon Sep 17 00:00:00 2001 From: Chenglong Hu Date: Tue, 15 Nov 2022 22:06:46 +0800 Subject: [PATCH] Improve GHSA-rgv9-q543-rqg4 --- .../GHSA-rgv9-q543-rqg4.json | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json b/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json index c30a847e60188..e87e760949a05 100644 --- a/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json +++ b/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json @@ -1,13 +1,13 @@ { "schema_version": "1.3.0", "id": "GHSA-rgv9-q543-rqg4", - "modified": "2022-10-05T22:25:35Z", + "modified": "2022-11-15T14:06:46Z", "published": "2022-10-03T00:00:31Z", "aliases": [ "CVE-2022-42004" ], "summary": "Uncontrolled Resource Consumption in FasterXML jackson-databind", - "details": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", + "details": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "severity": [ { "type": "CVSS_V3", @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.fasterxml.jackson.core:jackson-databind" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.12.7.1" + } + ] + } + ] } ], "references": [