Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcnFnLWpycGotZmM4NM4AA0fG
Apache Johnzon Deserialization of Untrusted Data vulnerability
A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal.
This issue affects Apache Johnzon through 1.2.20.
Permalink: https://github.com/advisories/GHSA-crqg-jrpj-fc84JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcnFnLWpycGotZmM4NM4AA0fG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-crqg-jrpj-fc84, CVE-2023-33008
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33008
- https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l
- https://github.com/apache/johnzon/commit/34ad9a6b296ae7b4667c3cf0037998e451499ea4
- https://issues.apache.org/jira/browse/JOHNZON-397
- https://github.com/advisories/GHSA-crqg-jrpj-fc84
Blast Radius: 13.7
Affected Packages
maven:org.apache.johnzon:johnzon-mapper
Dependent packages: 99Dependent repositories: 382
Downloads:
Affected Version Ranges: < 1.2.21
Fixed in: 1.2.21
All affected versions: 0.9.4, 0.9.5, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20
All unaffected versions: 1.2.21, 2.0.0, 2.0.1