CVE-2024-28180

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

jose Security Vulnerabilities

jose is a JavaScript module for signing and encrypting JSON objects. A security vulnerability exists in jose versions prior to 4.0.1, 3.0.3, and 2.6.3, which allows an attacker to send JWEs containing compressed data that uses a large amount of memory and CPU when decompressed via Decrypt or...

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to the formDataToJSON method within lib/helpers/formDataToJSON.js improperly filtering the proto attribute from the FormData object, allowing an attacker to overwrite critical JavaScript Object attributes...

JSON-java: parser confusion leads to OOM

A flaw was found in the org.json package. A bug in the parser exists, and an input string may lead to undefined usage of memory, leading to an out-of-memory error, causing a denial of service DoS...

libfastjson: integer overflow and out-of-bounds write via a large JSON file

A flaw was found in json-c. In printbufmemappend, certain crafted values can overflow the memory allowing an attacker to write past the memory boundary. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Qualys API Best Practices: Web Application Scanning API

This API Best Practices Series is designed for Qualys customer programmers or stakeholders with a general knowledge of programming who want to implement best practices for improving the development, design, and performance of their programs that use the Qualys API. For non-customers, the Qualys A...

PYSEC-2023-196

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version...

apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale

A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service...

Important: tomcat

Issue Overview: A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could...

Hutool Security Vulnerabilities

Hutool is a small but complete Java tool library from the Chinese Dromara community. A security vulnerability exists in Hutool version v5.8.21, which stems from a buffer overflow vulnerability in the component JSONUtil.parse...

SUSE SLES12 Security Update : cjose (SUSE-SU-2023:3030-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:3030-1 advisory. - OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly us...

ALSA-2023:4411 Important: cjose security update

CJose is C library implementing the Javascript Object Signing and Encryption JOSE. Security Fixes: cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE CVE-2023-37464 For more details about the security issues, including the impact, a CVSS score,...

PT-2023-6374 · Casaos · Casaos

Name of the Vulnerable Software and Affected Versions: CasaOS versions prior to 0.4.4 Description: Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication, allowing them to execute arbitrary commands as root on CasaOS instances. This issue is...

CVE-2023-37464

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug...

PrestaShop 安全漏洞

PrestaShop is an open source e-commerce solution from PrestaShop, Inc. in the United States. The solution provides multiple payment methods, SMS alerts, and product image zoom and other features. A security vulnerability exists in PrestaShop Fast Access to Order Details 1.1.20 and earlier version...

jettison: parser crash by stackoverflow

A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input,...

jettison: memory exhaustion via user-supplied XML or JSON data

A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack...

json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘‘ or ‘‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed...

jettison: memory exhaustion via user-supplied XML or JSON data

A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack...

jettison: memory exhaustion via user-supplied XML or JSON data

A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack...