CVE-2023-5072 - OpenCVE

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Json-java Project	Json-java

Configuration 1 [-]

cpe:2.3:a:json-java_project:json-java:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/12/13/4
https://github.com/stleary/JSON-java/issues/758	Issue Tracking
https://github.com/stleary/JSON-java/issues/771	Exploit Issue Tracking
https://security.netapp.com/advisory/ntap-20240621-0007/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2023-10-12T16:13:27.974Z

Updated: 2024-05-21T03:38:31.550Z

Reserved: 2023-09-19T18:29:03.608Z

Link: CVE-2023-5072

JSON object: View

NVD Information

Status : Modified

Published: 2023-10-12T17:15:10.187

Modified: 2024-06-21T19:15:29.820

Link: CVE-2023-5072

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-5072", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-09-19T18:29:03.608Z", "datePublished": "2023-10-12T16:13:27.974Z", "dateUpdated": "2024-05-21T03:38:31.550Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "n/a", "vendor": "https://github.com/stleary/JSON-java", "versions": [{"lessThanOrEqual": "20230618", "status": "affected", "version": "0", "versionType": "date"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Denial of Service in </span><span style=\"background-color: rgb(255, 255, 255);\">JSON-Java versions up to and including 20230618.  </span><span style=\"background-color: rgb(255, 255, 255);\">A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><br>"}], "value": "Denial of Service in JSON-Java versions up to and including 20230618. \u00a0A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used."}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-05-21T03:38:31.550Z"}, "references": [{"url": "https://github.com/stleary/JSON-java/issues/758"}, {"url": "https://github.com/stleary/JSON-java/issues/771"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "source": {"discovery": "UNKNOWN"}, "title": "DoS Vulnerability in JSON-Java", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:json-java_project:json-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "13919820-D849-4641-A7E6-6E01A01862F2", "versionEndIncluding": "20230618", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Denial of Service in JSON-Java versions up to and including 20230618. \u00a0A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used."}, {"lang": "es", "value": "Denegaci\u00f3n de Servicio (DoS) en versiones JSON-Java hasta 20230618 incluida. Un error en el analizador significa que una cadena de entrada de tama\u00f1o modesto puede provocar el uso de cantidades indefinidas de memoria."}], "id": "CVE-2023-5072", "lastModified": "2024-06-21T19:15:29.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2023-10-12T17:15:10.187", "references": [{"source": "cve-coordination@google.com", "url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"}, {"source": "cve-coordination@google.com", "tags": ["Issue Tracking"], "url": "https://github.com/stleary/JSON-java/issues/758"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/stleary/JSON-java/issues/771"}, {"source": "cve-coordination@google.com", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}