CVE-2023-33008

EPSS 0.09%
Veröffentlicht 07.07.2023 10:15:09
Zuletzt bearbeitet 21.11.2024 08:04:23
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.


A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. 


This issue affects Apache Johnzon: through 1.2.20.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Johnzon Version < 1.2.21

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.272

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l

Vendor Advisory

Mailing List

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-33008

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33008

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33008

EUVD