7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
43.3%
Affected versions of net.minidev:json-smart are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.
N/A
CPE | Name | Operator | Version |
---|---|---|---|
net.minidev:json-smart | lt | 2.4.9 |
github.com/advisories/GHSA-493p-pfq6-5258
github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a
github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8
github.com/netplex/json-smart-v2/issues/137
github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258
nvd.nist.gov/vuln/detail/CVE-2023-1370
research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633
security.netapp.com/advisory/ntap-20240621-0006
security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748
www.cve.org/CVERecord?id=CVE-2023-1370