Lucene search

K
cvelistJFROGCVELIST:CVE-2023-1370
HistoryMar 13, 2023 - 9:04 a.m.

CVE-2023-1370 Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON

2023-03-1309:04:36
CWE-674
JFROG
www.cve.org
1
json-smart
json processor
stack exhaustion
denial of service
malformed json
performance
recursively
nesting

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

43.2%

Json-smart is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

CNA Affected

[
  {
    "collectionURL": "https://mvnrepository.com",
    "vendor": "json-smart",
    "product": "json-smart",
    "packageName": "net.minidev:json-smart",
    "versions": [
      {
        "lessThan": "2.4.9",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

43.2%