GHSA-g8p6-p27c-52fx

Source

https://github.com/advisories/GHSA-g8p6-p27c-52fx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-g8p6-p27c-52fx/GHSA-g8p6-p27c-52fx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g8p6-p27c-52fx

Aliases

CVE-2023-4043

Published

2023-11-03T09:32:49Z

Modified

2024-02-16T08:17:00.305225Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Eclipse Parsson Denial of Service vulnerability

Details

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

Database specific

{
    "nvd_published_at": "2023-11-03T09:15:13Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-834"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-03T19:47:25Z"
}

References

Affected packages

Maven / org.eclipse.parsson:project

Package

Name: org.eclipse.parsson:project; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.parsson/project

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

1.1.4

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

Maven / org.eclipse.parsson:project

Package

Name: org.eclipse.parsson:project; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.parsson/project

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.5

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4