ghsa-g8p6-p27c-52fx
Vulnerability from github
Published
2023-11-03 09:32
Modified
2023-11-03 19:47
Severity
5.9 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Eclipse Parsson Denial of Service vulnerability
Details

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.parsson:project"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.parsson:project"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-834"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-03T19:47:25Z",
    "nvd_published_at": "2023-11-03T09:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\n\n\nTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\n\n\n",
  "id": "GHSA-g8p6-p27c-52fx",
  "modified": "2023-11-03T19:47:25Z",
  "published": "2023-11-03T09:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-ee4j/parsson/pull/100"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Parsson Denial of Service vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.