CVE-2023-33008

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l	Issue Tracking Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:johnzon:*:*:*:*:*:*:*:*

History

14 Jul 2023, 17:00

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:johnzon::::::::
References	~~(MISC) https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l -~~	(MISC) https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l - Issue Tracking, Mailing List, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

07 Jul 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-07 10:15

Updated : 2024-10-07 20:35

NVD link : CVE-2023-33008

Mitre link : CVE-2023-33008

CVE.ORG link : CVE-2023-33008

JSON object : View

Products Affected

apache

johnzon

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-33008", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-07-07T10:15:09.487", "references": [{"url": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.\n\n\nA malicious attacker can craft up some JSON input that uses large numbers (numbers such as\u00a01e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. \n\n\nThis issue affects Apache Johnzon: through 1.2.20.\n\n"}], "lastModified": "2024-10-07T20:35:02.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:johnzon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "831FCF86-817D-4B2F-ACBD-F086AD8CFB2C", "versionEndExcluding": "1.2.21"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}