All advisories

JSON deserialization vulnerability allows remote attacker to cause denial of service via maliciously crafted HTTP request

Affected product(s)

Gradle Enterprise 2018.5.1 - 2022.3.4

Severity

High

Published at

2022-11-26

Related CVE ID(s)

CVE-2022-42003
CVE-2022-42004

Description

Gradle Enterprise uses Jackson Databind to generate and parse JSON data, including parsing JSON HTTP request bodies. Before Jackson version 2.14.0-rc1, parsing maliciously crafted JSON data may lead to denial of service via resource exhaustion. This vulnerability can be used to cause the Gradle Enterprise server to restart and not respond to requests for several minutes.

Mitigation

Users should update to Gradle Enterprise 2022.3.5, which is no longer susceptible to these JSON parsing vulnerabilities.

References

https://github.com/FasterXML/jackson-databind/issues/3590