CVE-2023-33008

EPSS 0.09%
Published 07.07.2023 10:15:09
Last modified 21.11.2024 08:04:23
Source security@apache.org
Teams watchlist Login
Open Login

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.


A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. 


This issue affects Apache Johnzon: through 1.2.20.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Johnzon Version < 1.2.21

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.272

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l

Vendor Advisory

Mailing List

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-33008

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33008

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33008

EUVD