ghsa-264p-99wq-f4j6
Vulnerability from github
Impact
A potential denial-of-service issue exists in ion-java
for applications that use ion-java
to:
- Deserialize Ion text encoded data, or
- Deserialize Ion text or binary encoded data into the
IonValue
model and then invoke certainIonValue
methods on that in-memory representation.
An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue
model, results in a StackOverflowError
originating from the ion-java
library.
Impacted versions: <1.10.5
Patches
The patch is included in ion-java
>= 1.10.5.
Workarounds
Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] https://aws.amazon.com/security/vulnerability-reporting
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "com.amazon.ion:ion-java" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.10.5" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c 1.10.5" }, "package": { "ecosystem": "Maven", "name": "software.amazon.ion:ion-java" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-21634" ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2024-01-03T22:04:08Z", "nvd_published_at": "2024-01-03T23:15:08Z", "severity": "HIGH" }, "details": "### Impact\n\nA potential denial-of-service issue exists in\u00a0`ion-java`\u00a0for applications that use\u00a0`ion-java`\u00a0to:\n\n* Deserialize Ion text encoded data, or\n* Deserialize Ion text or binary encoded data into the\u00a0`IonValue`\u00a0model and then invoke certain\u00a0`IonValue`\u00a0methods on that in-memory representation.\n\nAn actor could craft Ion data that, when loaded by the affected application and/or processed using the\u00a0`IonValue`\u00a0model, results in a\u00a0`StackOverflowError`\u00a0originating from the\u00a0`ion-java`\u00a0library.\n\nImpacted versions: \u003c1.10.5\n\n### Patches\n\nThe patch is included in `ion-java` \u003e= 1.10.5.\n\n### Workarounds\n\nDo not load data which originated from an untrusted source or that could have been tampered with. **Only load data you trust.**\n\n----\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] https://aws.amazon.com/security/vulnerability-reporting", "id": "GHSA-264p-99wq-f4j6", "modified": "2024-04-12T17:08:03Z", "published": "2024-01-03T22:04:08Z", "references": [ { "type": "WEB", "url": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634" }, { "type": "PACKAGE", "url": "https://github.com/amazon-ion/ion-java" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Ion Java StackOverflow vulnerability" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.