*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
Path to dependency file: /legend-depot-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-52428
### Vulnerable Library - nimbus-jose-jwt-8.0.jarJava library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: http://connect2id.com
Path to dependency file: /legend-depot-server/pom.xml
Path to vulnerable library: /legend-depot-server/pom.xml,/legend-depot-store-server/pom.xml
Dependency Hierarchy: - legend-shared-pac4j-gitlab-0.23.3.jar (Root Library) - :x: **nimbus-jose-jwt-8.0.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Publish Date: 2024-02-11
URL: CVE-2023-52428
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52428
Release Date: 2024-02-11
Fix Resolution: com.nimbusds:nimbus-jose-jwt:9.37.2
CVE-2023-1370
### Vulnerable Library - json-smart-2.4.2.jarJSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: https://urielch.github.io/
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml
Dependency Hierarchy: - legend-shared-pac4j-gitlab-0.23.3.jar (Root Library) - nimbus-jose-jwt-8.0.jar - :x: **json-smart-2.4.2.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability Details[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-13
URL: CVE-2023-1370
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
Release Date: 2023-03-22
Fix Resolution: net.minidev:json-smart:2.4.9
CVE-2021-44878
### Vulnerable Library - pac4j-oidc-3.8.3.jarProfile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml
Dependency Hierarchy: - legend-shared-pac4j-gitlab-0.23.3.jar (Root Library) - :x: **pac4j-oidc-3.8.3.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIf an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
Publish Date: 2022-01-06
URL: CVE-2021-44878
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44878
Release Date: 2022-01-06
Fix Resolution: org.pac4j:pac4j-oidc:5.2.0
CVE-2021-31684
### Vulnerable Library - json-smart-2.4.2.jarJSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: https://urielch.github.io/
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml
Dependency Hierarchy: - legend-shared-pac4j-gitlab-0.23.3.jar (Root Library) - nimbus-jose-jwt-8.0.jar - :x: **json-smart-2.4.2.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsA vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
Publish Date: 2021-06-01
URL: CVE-2021-31684
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31684
Release Date: 2021-06-01
Fix Resolution (net.minidev:json-smart): 2.4.5
Direct dependency fix Resolution (org.finos.legend.shared:legend-shared-pac4j-gitlab): 0.23.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.