Описание
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability.
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package.
Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat JBoss Fuse 6 | json-smart | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-elasticsearch6 | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hadoop | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hive | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-presto | Will not fix | ||
| Red Hat AMQ Streams 1.8.0 | json-smart | Fixed | RHSA-2021:3225 | 19.08.2021 |
| Red Hat Fuse 7.10 | json-smart | Fixed | RHSA-2021:5134 | 14.12.2021 |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Improper Check for Unusual or Exceptional Conditions in json-smart
Уязвимость библиотек json-smart-v1 и json-smart-v2, связанная с недостаточной проверкой необычных или исключительных состояний, позволяющая нарушителю вызвать аварийное завершение работы приложения или раскрыть защищаемую информацию
5.9 Medium
CVSS3