Search criteria
6 vulnerabilities found for parsson by eclipse
FKIE_CVE-2023-7272
Vulnerability from fkie_nvd - Published: 2024-07-17 15:15 - Updated: 2025-02-06 18:07
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.
References
| URL | Tags | ||
|---|---|---|---|
| emo@eclipse.org | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eclipse:parsson:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60E3654D-D790-47C4-8422-35DA7C26CC78",
"versionEndExcluding": "1.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:parsson:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6E85442-5345-483A-B2D9-CF0851B306DB",
"versionEndExcluding": "1.1.3",
"versionStartIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents."
},
{
"lang": "es",
"value": "En Eclipse Parsson anterior a 1.0.4 y 1.1.3, un documento con una gran profundidad de objetos anidados puede permitir que un atacante provoque una excepci\u00f3n de desbordamiento de pila de Java y denegaci\u00f3n de servicio. Eclipse Parsson permite procesar (por ejemplo, analizar, generar, transformar y consultar) documentos JSON."
}
],
"id": "CVE-2023-7272",
"lastModified": "2025-02-06T18:07:45.847",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-17T15:15:10.457",
"references": [
{
"source": "emo@eclipse.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"
}
],
"sourceIdentifier": "emo@eclipse.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-4043
Vulnerability from fkie_nvd - Published: 2023-11-03 09:15 - Updated: 2024-11-21 08:34
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eclipse:parsson:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3948712B-5810-4F69-87EB-07D1C01E0868",
"versionEndExcluding": "1.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eclipse:parsson:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46E5C8CC-67EC-4276-AAF8-3E8C53DB277D",
"versionEndExcluding": "1.1.4",
"versionStartIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\n\n\nTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\n\n\n"
},
{
"lang": "es",
"value": "En Eclipse Parsson antes de las versiones 1.1.4 y 1.0.5, el Parsing JSON de fuentes no confiables puede llevar a actores maliciosos a explotar el hecho de que el soporte integrado para analizar n\u00fameros a gran escala en Java tiene varios casos extremos en los que el texto de entrada de un n\u00famero puede llevar a un tiempo de procesamiento mucho mayor de lo que cabr\u00eda esperar. Para mitigar el riesgo, parsson estableci\u00f3 un l\u00edmite de tama\u00f1o para los n\u00fameros y su escala."
}
],
"id": "CVE-2023-4043",
"lastModified": "2024-11-21T08:34:17.207",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-03T09:15:13.600",
"references": [
{
"source": "emo@eclipse.org",
"tags": [
"Patch"
],
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"source": "emo@eclipse.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
}
],
"sourceIdentifier": "emo@eclipse.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-834"
}
],
"source": "emo@eclipse.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-834"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-7272 (GCVE-0-2023-7272)
Vulnerability from cvelistv5 – Published: 2024-07-17 15:00 – Updated: 2024-08-02 08:57
VLAI?
Title
Eclipse Parsson stack overflow with deeply nested objects
Summary
In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.
Severity ?
8.6 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Parsson |
Affected:
0 , ≤ 1.0.3
(semver)
Affected: 1.1.0 , ≤ 1.1.2 (semver) |
Credits
PJ Fanning
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eclipse_foundation:parsson:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "parsson",
"vendor": "eclipse_foundation",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:26:07.187816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:31:25.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parsson",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PJ Fanning"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.\u003cbr\u003e"
}
],
"value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:00:20.172Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Eclipse Parsson stack overflow with deeply nested objects",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2023-7272",
"datePublished": "2024-07-17T15:00:20.172Z",
"dateReserved": "2024-07-17T14:50:06.906Z",
"dateUpdated": "2024-08-02T08:57:35.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4043 (GCVE-0-2023-4043)
Vulnerability from cvelistv5 – Published: 2023-11-03 08:11 – Updated: 2024-09-05 14:31
VLAI?
Title
Parsson DoS when parsing numbers from untrusted sources
Summary
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
Severity ?
5.9 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Parsson |
Affected:
0 , < 1.0.5
(semver)
Affected: 1.1.0 , < 1.1.4 (semver) |
Credits
Yuan Tian
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:21:34.711216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:31:17.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parsson",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Yuan Tian"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\u003c/p\u003e\n\u003cp\u003eTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\n\n\nTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T08:11:39.563Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Parsson DoS when parsing numbers from untrusted sources",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2023-4043",
"datePublished": "2023-11-03T08:11:39.563Z",
"dateReserved": "2023-08-01T14:21:55.370Z",
"dateUpdated": "2024-09-05T14:31:17.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7272 (GCVE-0-2023-7272)
Vulnerability from nvd – Published: 2024-07-17 15:00 – Updated: 2024-08-02 08:57
VLAI?
Title
Eclipse Parsson stack overflow with deeply nested objects
Summary
In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.
Severity ?
8.6 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Parsson |
Affected:
0 , ≤ 1.0.3
(semver)
Affected: 1.1.0 , ≤ 1.1.2 (semver) |
Credits
PJ Fanning
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eclipse_foundation:parsson:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "parsson",
"vendor": "eclipse_foundation",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:26:07.187816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:31:25.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parsson",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PJ Fanning"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.\u003cbr\u003e"
}
],
"value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:00:20.172Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Eclipse Parsson stack overflow with deeply nested objects",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2023-7272",
"datePublished": "2024-07-17T15:00:20.172Z",
"dateReserved": "2024-07-17T14:50:06.906Z",
"dateUpdated": "2024-08-02T08:57:35.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4043 (GCVE-0-2023-4043)
Vulnerability from nvd – Published: 2023-11-03 08:11 – Updated: 2024-09-05 14:31
VLAI?
Title
Parsson DoS when parsing numbers from untrusted sources
Summary
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
Severity ?
5.9 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Parsson |
Affected:
0 , < 1.0.5
(semver)
Affected: 1.1.0 , < 1.1.4 (semver) |
Credits
Yuan Tian
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:21:34.711216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:31:17.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parsson",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Yuan Tian"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\u003c/p\u003e\n\u003cp\u003eTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\n\n\nTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T08:11:39.563Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Parsson DoS when parsing numbers from untrusted sources",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2023-4043",
"datePublished": "2023-11-03T08:11:39.563Z",
"dateReserved": "2023-08-01T14:21:55.370Z",
"dateUpdated": "2024-09-05T14:31:17.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}