CVE-2022-42003: 
Java vulnerability analysis and mitigation

CVE-2022-42003 affects FasterXML jackson-databind versions before 2.13.4.1 and 2.12.17.1. The vulnerability involves resource exhaustion that can occur due to a lack of check in primitive value deserializers to avoid deep wrapper array nesting, specifically when the UNWRAPSINGLEVALUE_ARRAYS feature is enabled (CVE Details, MITRE CVE).

The vulnerability stems from a lack of checks in primitive value deserializers that would prevent deep wrapper array nesting when the UNWRAPSINGLEVALUEARRAYS feature is enabled. The issue specifically affects methods like parseBooleanPrimitive in StdDeserializer, which uses a pattern that exposes the possibility of "too deep" nesting (GitHub Issue). The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to Denial of Service (DoS) through resource exhaustion. The vulnerability affects applications using jackson-databind with the UNWRAPSINGLEVALUE_ARRAYS feature enabled (NetApp Advisory, Debian Security).

The vulnerability has been fixed in jackson-databind versions 2.13.4.1, 2.12.17.1, and 2.14.0-rc1. Users are advised to upgrade to these or later versions. The fix includes adding checks in primitive value deserializers to prevent deep wrapper array nesting (GitHub Issue, Gentoo Security).