CVE-2023-33008 - OpenCVE

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Johnzon
Redhat	Amq Broker Camel Spring Boot Openshift Application Runtimes

Configuration 1 [-]

cpe:2.3:a:apache:johnzon:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
AMQ Broker 7.11.2
apache-johnzon	cpe:/a:redhat:amq_broker:7	RHSA-2023:5491	2023-10-05T00:00:00Z
RHINT Camel-Springboot 4.0.0
apache-johnzon	cpe:/a:redhat:camel_spring_boot:4.0.0	RHSA-2023:5441	2023-10-04T00:00:00Z
Spring Boot 2.7.17
apache-johnzon	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2023:6114	2023-10-25T00:00:00Z

References

Link	Providers
https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l
https://nvd.nist.gov/vuln/detail/CVE-2023-33008
https://www.cve.org/CVERecord?id=CVE-2023-33008

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-07-07T09:07:31.070Z

Updated: 2024-08-02T15:32:46.616Z

Reserved: 2023-05-16T12:48:35.689Z

Link: CVE-2023-33008

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-07T10:15:09.487

Modified: 2023-07-14T17:00:04.467

Link: CVE-2023-33008

Redhat

Severity : Moderate

Publid Date: 2023-07-06T00:00:00Z

Links: CVE-2023-33008 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33008", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-05-16T12:48:35.689Z", "datePublished": "2023-07-07T09:07:31.070Z", "dateUpdated": "2024-08-02T15:32:46.616Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Apache Johnzon", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.2.20", "status": "affected", "version": "0", "versionType": "1.2.21"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "PJ Fanning"}, {"lang": "en", "type": "remediation developer", "value": "Jean-Louis Monteiro"}, {"lang": "en", "type": "remediation reviewer", "value": "Romain Manni-Bucau"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.<br></div><p>A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. <br></p><p>This issue affects Apache Johnzon: through 1.2.20.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.\n\n\nA malicious attacker can craft up some JSON input that uses large numbers (numbers such as\u00a01e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. \n\n\nThis issue affects Apache Johnzon: through 1.2.20.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-07T09:07:31.070Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l"}], "source": {"defect": ["JOHNZON-397"], "discovery": "EXTERNAL"}, "title": "Apache Johnzon: Prevent inefficient internal conversion from BigDecimal at large scale", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:32:46.616Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l"}]}]}}

{"affected_release": [{"advisory": "RHSA-2023:5491", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "apache-johnzon", "product_name": "AMQ Broker 7.11.2", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5441", "cpe": "cpe:/a:redhat:camel_spring_boot:4.0.0", "package": "apache-johnzon", "product_name": "RHINT Camel-Springboot 4.0.0", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:6114", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "apache-johnzon", "product_name": "Spring Boot 2.7.17", "release_date": "2023-10-25T00:00:00Z"}], "bugzilla": {"description": "apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale", "id": "2221135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221135"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-502", "details": ["Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.\nA malicious attacker can craft up some JSON input that uses large numbers (numbers such as\u00a01e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. \nThis issue affects Apache Johnzon: through 1.2.20.", "A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service."], "name": "CVE-2023-33008", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "apache-johnzon", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "apache-johnzon", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "apache-johnzon", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "apache-johnzon", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "apache-johnzon", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "apache-johnzon", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "apache-johnzon", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "apache-johnzon", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "apache-johnzon", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "apache-johnzon", "product_name": "Red Hat Process Automation 7"}], "public_date": "2023-07-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-33008\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-33008\nhttps://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l"], "threat_severity": "Moderate", "upstream_fix": "johnzon 1.2.21"}