gsd - gsd-2022-40149

gsd-2022-40149

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Aliases

CVE-2022-40149

Aliases

CVE-2022-40149

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-40149",
    "description": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.",
    "id": "GSD-2022-40149",
    "references": [
      "https://www.debian.org/security/2023/dsa-5312",
      "https://www.suse.com/security/cve/CVE-2022-40149.html",
      "https://access.redhat.com/errata/RHSA-2023:0469",
      "https://access.redhat.com/errata/RHSA-2023:0544",
      "https://access.redhat.com/errata/RHSA-2023:0552",
      "https://access.redhat.com/errata/RHSA-2023:0553",
      "https://access.redhat.com/errata/RHSA-2023:0554",
      "https://access.redhat.com/errata/RHSA-2023:0556",
      "https://access.redhat.com/errata/RHSA-2023:1043",
      "https://access.redhat.com/errata/RHSA-2023:1044",
      "https://access.redhat.com/errata/RHSA-2023:1045",
      "https://access.redhat.com/errata/RHSA-2023:1047",
      "https://access.redhat.com/errata/RHSA-2023:1049"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-40149"
      ],
      "details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.",
      "id": "GSD-2022-40149",
      "modified": "2023-12-13T01:19:31.272475Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@google.com",
        "ID": "CVE-2022-40149",
        "STATE": "PUBLIC",
        "TITLE": "Stack Buffer Overflow in Jettison"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Jettison",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "1.4.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Jettison"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-121 Stack-based Buffer Overflow"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538",
            "refsource": "MISC",
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538"
          },
          {
            "name": "https://github.com/jettison-json/jettison/issues/45",
            "refsource": "MISC",
            "url": "https://github.com/jettison-json/jettison/issues/45"
          },
          {
            "name": "[debian-lts-announce] 20221110 [SECURITY] [DLA 3184-1] libjettison-java security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html"
          },
          {
            "name": "DSA-5312",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2023/dsa-5312"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.5.0]",
          "affected_versions": "All versions up to 1.5.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-787",
            "CWE-937"
          ],
          "date": "2022-09-20",
          "description": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.",
          "fixed_versions": [],
          "identifier": "CVE-2022-40149",
          "identifiers": [
            "GHSA-56h3-78gp-v83r",
            "CVE-2022-40149"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.codehaus.jettison/jettison",
          "pubdate": "2022-09-17",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Out-of-bounds Write",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
            "https://github.com/jettison-json/jettison/issues/45",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538",
            "https://github.com/advisories/GHSA-56h3-78gp-v83r"
          ],
          "uuid": "1522badf-984e-4e7c-ad71-bc20a1790b1c"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:jettison_project:jettison:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2022-40149"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-787"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Permissions Required",
                "Third Party Advisory"
              ],
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://github.com/jettison-json/jettison/issues/45"
            },
            {
              "name": "[debian-lts-announce] 20221110 [SECURITY] [DLA 3184-1] libjettison-java security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html"
            },
            {
              "name": "DSA-5312",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2023/dsa-5312"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-03-01T16:32Z",
      "publishedDate": "2022-09-16T10:15Z"
    }
  }
}

cve-2022-40149

Vulnerability from cvelistv5

Published

2022-09-16 00:00

Modified

2024-08-03 12:14

Severity

6.5 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

Stack Buffer Overflow in Jettison

References

URL	Tags
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
https://github.com/jettison-json/jettison/issues/45
https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html	mailing-list
https://www.debian.org/security/2023/dsa-5312	vendor-advisory

Impacted products

Vendor	Product
Jettison	Jettison

Show details on NVD website