Lucene search

K
githubGitHub Advisory DatabaseGHSA-493P-PFQ6-5258
HistoryMar 23, 2023 - 8:32 p.m.

json-smart Uncontrolled Recursion vulnerabilty

2023-03-2320:32:03
CWE-674
GitHub Advisory Database
github.com
227
json-smart
uncontrolled recursion
denial of service
stackoverflowerror
vulnerability
patches
cve-2023-1370
nvd.nist.gov
security.snyk.io

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.2%

Impact

Affected versions of net.minidev:json-smart are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.

Patches

This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.

Workarounds

N/A

References

Affected configurations

Vulners
Node
net.minidev\jsonMatchsmart
CPENameOperatorVersion
net.minidev:json-smartlt2.4.9

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.2%