Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yNjRwLTk5d3EtZjRqNs4AA4L1

Ion Java StackOverflow vulnerability

Impact

A potential denial-of-service issue exists in ion-java for applications that use ion-java to:

An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.

Impacted versions: <1.10.5

Patches

The patch is included in ion-java >= 1.10.5.

Workarounds

Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.


If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.

[1] https://aws.amazon.com/security/vulnerability-reporting

Permalink: https://github.com/advisories/GHSA-264p-99wq-f4j6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNjRwLTk5d3EtZjRqNs4AA4L1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: about 1 month ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-264p-99wq-f4j6, CVE-2024-21634
References: Repository: https://github.com/amazon-ion/ion-java
Blast Radius: 14.9

Affected Packages

maven:software.amazon.ion:ion-java
Dependent packages: 55
Dependent repositories: 98
Downloads:
Affected Version Ranges: < 1.10.5
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1
maven:com.amazon.ion:ion-java
Dependent packages: 19
Dependent repositories: 20
Downloads:
Affected Version Ranges: < 1.10.5
Fixed in: 1.10.5
All affected versions: 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4
All unaffected versions: 1.10.5, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.7, 1.11.8