CVE-2022-42004

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions prior to 2.13.4 Bamboo Data Center and Server versions 9.1.0, 9.2.1, and 9.3.0 Bitbucket Data Center and Server versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0

Description The issue is related to resource exhaustion due to a lack of a check in BeanDeserializer. deserializeFromArray to prevent use of deeply nested arrays. This can occur when the UNWRAP SINGLE VALUE ARRAYS feature is explicitly enabled. An application is vulnerable only with certain customized choices for deserialization. The vulnerability allows an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction.

Recommendations For FasterXML jackson-databind versions prior to 2.13.4, upgrade to version 2.13.4 or later. For Bamboo Data Center and Server version 9.2, upgrade to a release greater than or equal to 9.2.5. For Bamboo Data Center and Server version 9.3, upgrade to a release greater than or equal to 9.3.3. For Bitbucket Data Center and Server version 7.21, upgrade to a release greater than or equal to 7.21.14. For Bitbucket Data Center and Server version 8.9, upgrade to a release greater than or equal to 8.9.4. For Bitbucket Data Center and Server version 8.10, upgrade to a release greater than or equal to 8.10.4. For Bitbucket Data Center and Server version 8.11, upgrade to a release greater than or equal to 8.11.3 or 8.11.4. For Bitbucket Data Center and Server version 8.12, upgrade to a release greater than or equal to 8.12.1 or 8.12.2. For Bitbucket Data Center and Server version 8.13, upgrade to a release greater than or equal to 8.13.1.