GHSA-3R7J-8MQH-6QHX

Vulnerability from github – Published: 2022-10-20 18:20 – Updated: 2022-10-25 20:37
VLAI?
Summary
Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack
Details

Impact

Using jadx-gui to open a special zip file with entry containing HTML sequence like <html><frame> will cause interface to get stuck and throw exceptions like:

java.lang.RuntimeException: Can't build aframeset, BranchElement(frameset) 1,3
:no ROWS or COLS defined.
    at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory.create(HTMLEditorKit.java:1387)
    at java.desktop/javax.swing.plaf.basic.BasicHTML$BasicHTMLViewFactory.create(BasicHTML.java:379)
    at java.desktop/javax.swing.text.CompositeView.loadChildren(CompositeView.java:112)

References

https://www.oracle.com/java/technologies/javase/seccodeguide.html

Guideline 3-7 / INJECT-7: Disable HTML display in Swing components:

Many Swing pluggable look-and-feels interpret text in certain components starting with as HTML. If the text is from an untrusted source, an adversary may craft the HTML such that other components appear to be present or to perform inclusion attacks.

To disable the HTML render feature, set the "html.disable" client property of each component to Boolean.TRUE (no other Boolean true instance will do).

label.putClientProperty("html.disable", true);
Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.skylot:jadx-plugins-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39259"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-20T18:20:28Z",
    "nvd_published_at": "2022-10-21T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsing jadx-gui to open a special zip file with entry containing HTML sequence like `\u003chtml\u003e\u003cframe\u003e` will cause interface to get stuck and throw exceptions like:\n```\njava.lang.RuntimeException: Can\u0027t build aframeset, BranchElement(frameset) 1,3\n:no ROWS or COLS defined.\n\tat java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory.create(HTMLEditorKit.java:1387)\n\tat java.desktop/javax.swing.plaf.basic.BasicHTML$BasicHTMLViewFactory.create(BasicHTML.java:379)\n\tat java.desktop/javax.swing.text.CompositeView.loadChildren(CompositeView.java:112)\n```\n\n### References\nhttps://www.oracle.com/java/technologies/javase/seccodeguide.html\n\nGuideline 3-7 / INJECT-7: Disable HTML display in Swing components:\n\nMany Swing pluggable look-and-feels interpret text in certain components starting with \u003chtml\u003e as HTML. If the text is from an untrusted source, an adversary may craft the HTML such that other components appear to be present or to perform inclusion attacks.\n\nTo disable the HTML render feature, set the \"html.disable\" client property of each component to Boolean.TRUE (no other Boolean true instance will do).\n```java\nlabel.putClientProperty(\"html.disable\", true);\n```\n\n",
  "id": "GHSA-3r7j-8mqh-6qhx",
  "modified": "2022-10-25T20:37:53Z",
  "published": "2022-10-20T18:20:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/skylot/jadx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skylot/jadx/releases/tag/v1.4.5"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/java/technologies/javase/seccodeguide.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.