{"api_version":"1","generated_at":"2026-04-22T22:49:32+00:00","cve":"CVE-2023-1370","urls":{"html":"https://cve.report/CVE-2023-1370","api":"https://cve.report/api/cve/CVE-2023-1370.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-1370","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-1370"},"summary":{"title":"CVE-2023-1370","description":"[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.","state":"PUBLIC","assigner":"security@jfrog.com","published_at":"2023-03-22 06:15:00","updated_at":"2024-04-01 15:45:00"},"problem_types":["CWE-674"],"metrics":[],"references":[{"url":"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/","name":"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/","refsource":"MISC","tags":[],"title":"json-smart Stack exhaustion DoS | XRAY-427633 - JFrog Security Research","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-1370","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1370","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"1370","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"json-smart_project","cpe5":"json-smart","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"1370","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"json-smart_project","cpe5":"json-smart","cpe6":"2.4.9","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-1370","qid":"150696","title":"Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2023)"},{"cve":"CVE-2023-1370","qid":"181646","title":"Debian Security Update for json-smart (DLA 3373-1)"},{"cve":"CVE-2023-1370","qid":"199281","title":"Ubuntu Security Notification for Json-smart Vulnerabilities (USN-6011-1)"},{"cve":"CVE-2023-1370","qid":"20391","title":"IBM DB2 Denial of Service (DoS) Vulnerability (7087234)"},{"cve":"CVE-2023-1370","qid":"241678","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3362)"},{"cve":"CVE-2023-1370","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2023-1370","qid":"378997","title":"Atlassian Jira Service Management Data Center and Server Third-Party Dependency Vulnerability (JSDSERVER-14746)"},{"cve":"CVE-2023-1370","qid":"379452","title":"IBM Cognos Analytics Multiple Vulnerabilities (7123154)"},{"cve":"CVE-2023-1370","qid":"770190","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3362)"},{"cve":"CVE-2023-1370","qid":"87546","title":"Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2023)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-1370","ASSIGNER":"security@jfrog.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-674 Uncontrolled Recursion","cweId":"CWE-674"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"json-smart","product":{"product_data":[{"product_name":"json-smart","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"2.4.9"}]}}]}}]}},"references":{"reference_data":[{"url":"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/","refsource":"MISC","name":"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"}]},"source":{"discovery":"EXTERNAL"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-03-22 06:15:00","lastModifiedDate":"2024-04-01 15:45:00","problem_types":["CWE-674"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:json-smart_project:json-smart:*:*:*:*:*:*:*:*","versionEndExcluding":"2.4.9","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}