search

camunda / camunda-bpm-platform

Flexible framework for workflow and decision automation with BPMN and DMN. Integration with Quarkus, Spring, Spring Boot, CDI.
https://camunda.com/
Apache License 2.0
4.1k stars 1.55k forks source link

JSON stack overflow vulnerability #4378

Closed aoraki closed 2 months ago

aoraki commented 4 months ago

Upgrade org.json:json to version 20231013 or later.

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVE-2022-45688

WeaknessCWE-787

aoraki commented 4 months ago

I am going to address this via a source code contribution

venetrius commented 4 months ago

Hi @aoraki,

I could see neither hutool-json or org.json:json used in Camunda 7 Platform. org.json is referenced in a dependencyManagement section in https://github.com/camunda/camunda-bpm-platform/blob/master/internal-dependencies/pom.xml#L170 but not used by any of the modules.

tasso94 commented 4 months ago

Hi @venetrius,

Can you remove the obsolete dependencies as part of your community work?

Best, Tassilo

aoraki commented 4 months ago

Hi @venetrius, @tassilo, I raised this issue as a security scan was performed against the repo and identified a couple of vulnerabilities in the dependency. I didn’t realise that this dependency was unused, so thanks for bringing it to my attention.

I would like to make a source code contribution, and I’m only really starting out on that process. I’d like to make some nano-contributions first as a start. Removing obsolete dependencies might be a good one to get started with. If you identify the obsolete dependencies would I be able to make a contribution to remove them?

Thanks for your help.

On Mon 3 Jun 2024 at 15:01, tasso94 @.***> wrote:

Hi @venetrius https://github.com/venetrius,

Can you remove the obsolete dependencies as part of your community work?

Best, Tassilo

— Reply to this email directly, view it on GitHub https://github.com/camunda/camunda-bpm-platform/issues/4378#issuecomment-2145282472, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYV2GDAG2CAVQ62XHS5TPDZFRZKTAVCNFSM6AAAAABILNMEPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBVGI4DENBXGI . You are receiving this because you were mentioned.Message ID: @.***>

venetrius commented 3 months ago

Hi @aoraki,

If you would like to create a pull request to remove org.json.json from internal-dependencies/pom.xml that would be welcomed!

aoraki commented 3 months ago

That’s great @venetrius, I will gladly do that! Do I need to create a new issue on the repo to help track this change?

Thanks!

On Tue 4 Jun 2024 at 15:36, venetrius @.***> wrote:

Hi @aoraki https://github.com/aoraki,

If you would like to create a pull request to remove org.json.json from internal-dependencies/pom.xml that would be welcomed!

— Reply to this email directly, view it on GitHub https://github.com/camunda/camunda-bpm-platform/issues/4378#issuecomment-2147702948, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYV2GDAPPD5OA2OZGZZHLLZFXGIPAVCNFSM6AAAAABILNMEPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXG4YDEOJUHA . You are receiving this because you were mentioned.Message ID: @.***>

venetrius commented 3 months ago

Yes, please do that and then I will close this one.

venetrius commented 2 months ago

This is not a security issue. Unused dependency is removed in Remove org.json:json from internal-dependencies/pom.xml