CVE-2023-4043 Parsson DoS when parsing numbers from untrusted sources

2023-11-0308:11:39

CWE-834

CWE-20

eclipse

www.cve.org

cve-2023-4043

parsson

dos

json

parsing

vulnerability

eclipse

java

edge cases

size limit

scale

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

Percentile

10.5%

JSON

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Parsson",
    "vendor": "Eclipse Foundation",
    "versions": [
      {
        "lessThan": "1.0.5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThan": "1.1.4",
        "status": "affected",
        "version": "1.1.0",
        "versionType": "semver"
      }
    ]
  }
]