GHSA-264p-99wq-f4j6

Source

https://github.com/advisories/GHSA-264p-99wq-f4j6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-264p-99wq-f4j6/GHSA-264p-99wq-f4j6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-264p-99wq-f4j6

Aliases

CVE-2024-21634

Related

Published

2024-01-03T22:04:08Z

Modified

2024-04-12T17:16:19.921675Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Ion Java StackOverflow vulnerability

Details

Impact

A potential denial-of-service issue exists in ion-java for applications that use ion-java to:

Deserialize Ion text encoded data, or
Deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation.

An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.

Impacted versions: <1.10.5

Patches

The patch is included in ion-java >= 1.10.5.

Workarounds

Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://aws.amazon.com/security/vulnerability-reporting

Database specific

{
    "nvd_published_at": "2024-01-03T23:15:08Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-03T22:04:08Z"
}

References

Affected packages

Maven / com.amazon.ion:ion-java

Package

Name: com.amazon.ion:ion-java; View open source insights on deps.dev
Purl: pkg:maven/com.amazon.ion/ion-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.5

Affected versions

1.*

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

Maven / software.amazon.ion:ion-java

Package

Name: software.amazon.ion:ion-java; View open source insights on deps.dev
Purl: pkg:maven/software.amazon.ion/ion-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.3.1

1.4.0

1.5.0

1.5.1

Database specific

{
    "last_known_affected_version_range": "< 1.10.5"
}