Описание
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected.
Отчет
Red Hat rates this as an important impact since one needs to process untrusted and if there is no sanitization a Denial of Service (DoS) may happen.
Меры по смягчению последствий
Avoid processing untrusted sources content in order to minimize the chance for Denial of Service attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | parsson | Not affected | ||
| Red Hat build of Apicurio Registry 2 | parsson | Not affected | ||
| Red Hat Build of Keycloak | parsson | Will not fix | ||
| Red Hat Fuse 7 | parsson | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/pluginregistry-rhel8 | Affected | ||
| streams for Apache Kafka | parsson | Not affected | ||
| Cryostat 2 on RHEL 8 | cryostat-tech-preview/cryostat-grafana-dashboard-rhel8 | Fixed | RHSA-2024:0530 | 25.01.2024 |
| Cryostat 2 on RHEL 8 | cryostat-tech-preview/cryostat-operator-bundle | Fixed | RHSA-2024:0530 | 25.01.2024 |
| Cryostat 2 on RHEL 8 | cryostat-tech-preview/cryostat-reports-rhel8 | Fixed | RHSA-2024:0530 | 25.01.2024 |
| Cryostat 2 on RHEL 8 | cryostat-tech-preview/cryostat-rhel8 | Fixed | RHSA-2024:0530 | 25.01.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
Eclipse Parsson Denial of Service vulnerability
EPSS
7.5 High
CVSS3