GHSA-xqcq-j8w9-3pxv – com.tencyle.fixes:org.codehaus.jettison--jettison

Package

Manager: maven
Name: com.tencyle.fixes:org.codehaus.jettison--jettison
Vulnerable Version: =1.1-tencyle-2.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Jettison parser crash by stackoverflow Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. ### References - https://nvd.nist.gov/vuln/detail/CVE-2022-40149 - https://github.com/jettison-json/jettison/issues/45 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538 - https://github.com/jettison-json/jettison/pull/49/files - https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1 - https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html - https://www.debian.org/security/2023/dsa-5312

Metadata

Created: 2023-08-01T19:53:16Z
Modified: 2023-08-01T19:53:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xqcq-j8w9-3pxv/GHSA-xqcq-j8w9-3pxv.json
CWE IDs: ["CWE-121", "CWE-787"]
Alternative ID: N/A
Finding: F316
Auto approve: 1