Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nOHA2LXAyN2MtNTJmeM4AA25_
Eclipse Parsson Denial of Service vulnerability
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
Permalink: https://github.com/advisories/GHSA-g8p6-p27c-52fxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOHA2LXAyN2MtNTJmeM4AA25_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00081
EPSS Percentile: 0.36035
Identifiers: GHSA-g8p6-p27c-52fx, CVE-2023-4043
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-4043
- https://github.com/eclipse-ee4j/parsson/pull/100
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13
- https://github.com/advisories/GHSA-g8p6-p27c-52fx
Blast Radius: 1.0
Affected Packages
maven:org.eclipse.parsson:project
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.0.5, >= 1.1.0, < 1.1.4
Fixed in: 1.0.5, 1.1.4
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3
All unaffected versions: 1.0.5, 1.1.4, 1.1.5, 1.1.6, 1.1.7