CVE-2023-4043
Summary
| CVE | CVE-2023-4043 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-11-03 09:15:00 UTC |
| Updated | 2023-11-13 18:26:00 UTC |
| Description | In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale. |
Risk And Classification
Problem Types: CWE-834
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| BigInteger scale limit counts absolute value now. by Tomas-Kraus · Pull Request #100 · eclipse-ee4j/parsson · GitHub | MISC | github.com | |
| There is a DoS vulnerability in the latest version 2.1.2 of jakartaee/jsonp-api (#13) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab | MISC | gitlab.eclipse.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 20401 Oracle Database 21c Critical Patch Update - January 2024
- 243042 Red Hat Update for JBoss Enterprise Application Platform 8.0.1 (RHSA-2024:1193)
- 243044 Red Hat Update for JBoss Enterprise Application Platform 8.0.1 (RHSA-2024:1192)
- 995833 Java (Maven) Security Update for org.eclipse.parsson:project (GHSA-g8p6-p27c-52fx)