OESA-2023-1965

Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.

Security Fix(es):

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40149)

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.(CVE-2022-40150)

A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.(CVE-2022-45685)

Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.(CVE-2022-45693)

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

(CVE-2023-1436)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP4 / jettison

Package

Name: jettison
Purl: pkg:rpm/openEuler/jettison&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.4-1.oe2003sp4

Ecosystem specific

{
    "noarch": [
        "jettison-1.5.4-1.oe2003sp4.noarch.rpm",
        "jettison-javadoc-1.5.4-1.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "jettison-1.5.4-1.oe2003sp4.src.rpm"
    ]
}