CVE-2023-4043 – org.eclipse.parsson:project

Package

Manager: maven
Name: org.eclipse.parsson:project
Vulnerable Version: >=1.1.0 <1.1.4 || >=0 <1.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0015 pctl0.36139

Details

Eclipse Parsson Denial of Service vulnerability In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

Metadata

Created: 2023-11-03T09:32:49Z
Modified: 2023-11-03T19:47:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-g8p6-p27c-52fx/GHSA-g8p6-p27c-52fx.json
CWE IDs: ["CWE-20", "CWE-834"]
Alternative ID: GHSA-g8p6-p27c-52fx
Finding: F184
Auto approve: 1