Bug 2188542 (CVE-2023-1370) - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
Summary: CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1370
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2180850
TreeView+ depends on / blocked
 
Reported: 2023-04-21 05:35 UTC by Sandipan Roy
Modified: 2024-04-11 14:08 UTC (History)
78 users (show)

Fixed In Version: json-smart 2.4.9, json-smart 2.4.10
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
Clone Of:
Environment:
Last Closed: 2023-05-03 20:36:42 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2099 0 None None None 2023-05-03 14:05:34 UTC
Red Hat Product Errata RHSA-2023:2100 0 None None None 2023-05-03 14:07:24 UTC
Red Hat Product Errata RHSA-2023:3179 0 None None None 2023-05-17 12:29:45 UTC
Red Hat Product Errata RHSA-2023:3193 0 None None None 2023-05-17 15:49:42 UTC
Red Hat Product Errata RHSA-2023:3223 0 None None None 2023-05-18 09:54:44 UTC
Red Hat Product Errata RHSA-2023:3362 0 None None None 2023-06-07 09:20:58 UTC
Red Hat Product Errata RHSA-2023:3610 0 None None None 2023-06-15 00:15:10 UTC
Red Hat Product Errata RHSA-2023:3622 0 None None None 2023-06-15 09:01:36 UTC
Red Hat Product Errata RHSA-2023:3641 0 None None None 2023-06-15 15:24:22 UTC
Red Hat Product Errata RHSA-2023:3663 0 None None None 2023-06-19 10:13:19 UTC
Red Hat Product Errata RHSA-2023:3906 0 None None None 2023-06-28 15:59:23 UTC
Red Hat Product Errata RHSA-2023:3954 0 None None None 2023-06-29 20:08:42 UTC
Red Hat Product Errata RHSA-2023:7697 0 None None None 2023-12-07 13:42:09 UTC

Description Sandipan Roy 2023-04-21 05:35:36 UTC 
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

https://github.com/advisories/GHSA-493p-pfq6-5258
https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a
https://github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8
Comment 5 errata-xmlrpc 2023-05-03 14:05:30 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P1

Via RHSA-2023:2099 https://access.redhat.com/errata/RHSA-2023:2099
Comment 6 errata-xmlrpc 2023-05-03 14:07:20 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 7 Product Security DevOps Team 2023-05-03 20:36:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1370
Comment 9 errata-xmlrpc 2023-05-17 12:29:40 UTC 
This issue has been addressed in the following products:

  CEQ 2.13.2-2

Via RHSA-2023:3179 https://access.redhat.com/errata/RHSA-2023:3179
Comment 10 errata-xmlrpc 2023-05-17 15:49:38 UTC 
This issue has been addressed in the following products:

  CEQ 2.7.1-1

Via RHSA-2023:3193 https://access.redhat.com/errata/RHSA-2023:3193
Comment 11 errata-xmlrpc 2023-05-18 09:54:41 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.4.0

Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
Comment 13 errata-xmlrpc 2023-06-07 09:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:3362 https://access.redhat.com/errata/RHSA-2023:3362
Comment 14 errata-xmlrpc 2023-06-15 00:15:05 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610
Comment 15 errata-xmlrpc 2023-06-15 09:01:32 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3622 https://access.redhat.com/errata/RHSA-2023:3622
Comment 16 errata-xmlrpc 2023-06-15 15:24:17 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P2

Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641
Comment 17 errata-xmlrpc 2023-06-19 10:13:15 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
Comment 18 errata-xmlrpc 2023-06-28 15:59:19 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K-1.10.1

Via RHSA-2023:3906 https://access.redhat.com/errata/RHSA-2023:3906
Comment 20 errata-xmlrpc 2023-06-29 20:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 22 errata-xmlrpc 2023-12-07 13:42:05 UTC 
This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697
Note You need to log in before you can comment on or make changes to this bug.