CVE-2023-33008

Опубликовано: 07 июл. 2023

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.

A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal.

This issue affects Apache Johnzon: through 1.2.20.

Ссылки

https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l
Issue Tracking
Mailing List
Vendor Advisory
https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l
Issue Tracking
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:johnzon:*:*:*:*:*:*:*:*

Версия до 1.2.21 (исключая)

EPSS

Процентиль: 34%

0.00137

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-502

Связанные уязвимости

CVE-2023-33008

CVSS3: 5.3

redhat

больше 2 лет назад

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

GHSA-crqg-jrpj-fc84

CVSS3: 5.3

github

больше 2 лет назад

Apache Johnzon Deserialization of Untrusted Data vulnerability

BDU:2023-05035

CVSS3: 5.3

fstec

больше 2 лет назад

Уязвимость компонента BigDecimal программного средства обработки JSON-файлов Apache Johnzon, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 34%

0.00137

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-502