Bug 2188542 (CVE-2023-1370)
Summary: | CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, cmoulliard, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, drichtar, ellin, emingora, fjuma, fmongiar, gjospin, gmalinko, hbraun, ibek, ikanello, ivassile, iweiss, janstey, jburrell, jcantril, jnethert, jpavlik, jpechane, jpoth, jrokos, jross, jscholz, kverlaen, lbacciot, lgao, lthon, mnovotny, mokumar, mosmerov, msochure, msvehla, nboldt, nwallace, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, pskopek, rguimara, rkieley, rogbas, rowaters, rrajasek, rruss, rstancel, scorneli, shbose, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, vkumar, yfang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | json-smart 2.4.9, json-smart 2.4.10 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-03 20:36:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2180850 |
Description
Sandipan Roy
2023-04-21 05:35:36 UTC
This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3.P1 Via RHSA-2023:2099 https://access.redhat.com/errata/RHSA-2023:2099 This issue has been addressed in the following products: RHINT Camel-Springboot 3.20.1 Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-1370 This issue has been addressed in the following products: CEQ 2.13.2-2 Via RHSA-2023:3179 https://access.redhat.com/errata/RHSA-2023:3179 This issue has been addressed in the following products: CEQ 2.7.1-1 Via RHSA-2023:3193 https://access.redhat.com/errata/RHSA-2023:3193 This issue has been addressed in the following products: Red Hat AMQ Streams 2.4.0 Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:3362 https://access.redhat.com/errata/RHSA-2023:3362 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:3622 https://access.redhat.com/errata/RHSA-2023:3622 This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3.P2 Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663 This issue has been addressed in the following products: RHINT Camel-K-1.10.1 Via RHSA-2023:3906 https://access.redhat.com/errata/RHSA-2023:3906 This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954 This issue has been addressed in the following products: AMQ Clients 3.y for RHEL 8 AMQ Clients 3.y for RHEL 9 Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697 |