Path to vulnerable library: /spring-boot-project/spring-boot-test-autoconfigure/build.gradle,/spring-boot-project/spring-boot-test-autoconfigure/build.gradle
Path to dependency file: /spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-jta-bitronix/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.apache.johnzon/johnzon-core/1.2.7/79b9f79e420093bfba588be99297941e0663f098/johnzon-core-1.2.7.jar,/canner/.gradle/caches/modules-2/files-2.1/org.apache.johnzon/johnzon-core/1.2.7/79b9f79e420093bfba588be99297941e0663f098/johnzon-core-1.2.7.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.johnzon/johnzon-core/1.2.7/79b9f79e420093bfba588be99297941e0663f098/johnzon-core-1.2.7.jar
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.
A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal.
This issue affects Apache Johnzon: through 1.2.20.
CVE-2023-33008 - Medium Severity Vulnerability
Vulnerable Libraries - johnzon-mapper-1.2.7.jar, johnzon-core-1.2.7.jar, johnzon-jsonb-1.2.7.jar
johnzon-mapper-1.2.7.jar
Apache Johnzon is an implementation of JSR-353 (JavaTM API for JSON Processing).
Library home page: http://johnzon.apache.org
Path to vulnerable library: /spring-boot-project/spring-boot-test-autoconfigure/build.gradle,/spring-boot-project/spring-boot-test-autoconfigure/build.gradle
Dependency Hierarchy: - :x: **johnzon-mapper-1.2.7.jar** (Vulnerable Library)
johnzon-core-1.2.7.jar
Apache Johnzon is an implementation of JSR-353 (JavaTM API for JSON Processing).
Library home page: http://johnzon.apache.org
Path to dependency file: /spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-jta-bitronix/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.apache.johnzon/johnzon-core/1.2.7/79b9f79e420093bfba588be99297941e0663f098/johnzon-core-1.2.7.jar,/canner/.gradle/caches/modules-2/files-2.1/org.apache.johnzon/johnzon-core/1.2.7/79b9f79e420093bfba588be99297941e0663f098/johnzon-core-1.2.7.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.johnzon/johnzon-core/1.2.7/79b9f79e420093bfba588be99297941e0663f098/johnzon-core-1.2.7.jar
Dependency Hierarchy: - :x: **johnzon-core-1.2.7.jar** (Vulnerable Library)
johnzon-jsonb-1.2.7.jar
Apache Johnzon is an implementation of JSR-353 (JavaTM API for JSON Processing).
Library home page: http://johnzon.apache.org
Path to vulnerable library: /spring-boot-project/spring-boot-test-autoconfigure/build.gradle
Dependency Hierarchy: - :x: **johnzon-jsonb-1.2.7.jar** (Vulnerable Library)
Found in HEAD commit: 275c27d9dd5c88d8db426ebfb734d89d3f8e7412
Found in base branch: master
Vulnerability Details
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.
Publish Date: 2023-07-07
URL: CVE-2023-33008
CVSS 3 Score Details (5.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l
Release Date: 2023-07-07
Fix Resolution: 1.2.21
Step up your Open Source Security Game with Mend here