CVE-2023-7272 - Vulnerability Details - OpenCVE

In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00566.

Key SSVC decision points have not yet been added.

Vendors	Products
Eclipse	Parsson

Configuration 1 [-]

OR	cpe:2.3:a:eclipse:parsson::::::::
	cpe:2.3:a:eclipse:parsson::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-2228	In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.
Github GHSA	GHSA-2rwm-xv5j-777p	Eclipse Parsson stack overflow when parsing deeply nested input

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12
https://nvd.nist.gov/vuln/detail/CVE-2023-7272
https://www.cve.org/CVERecord?id=CVE-2023-7272

History

Thu, 06 Feb 2025 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eclipse Eclipse parsson
CPEs		cpe:2.3:a:eclipse:parsson::::::::
Vendors & Products		Eclipse Eclipse parsson

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2024-07-17T15:00:20.172Z

Updated: 2024-08-02T08:57:35.165Z

Reserved: 2024-07-17T14:50:06.906Z

Link: CVE-2023-7272

Vulnrichment

Updated: 2024-08-02T08:57:35.165Z

NVD

Status : Analyzed

Published: 2024-07-17T15:15:10.457

Modified: 2025-02-06T18:07:45.847

Link: CVE-2023-7272

Redhat

Severity : Moderate

Publid Date: 2024-07-17T00:00:00Z

Links: CVE-2023-7272 - Bugzilla

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-7272", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-07-17T14:50:06.906Z", "datePublished": "2024-07-17T15:00:20.172Z", "dateUpdated": "2024-08-02T08:57:35.165Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Parsson", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "1.0.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "1.1.2", "status": "affected", "version": "1.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PJ Fanning"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.<br>"}], "value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-07-17T15:00:20.172Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"}], "source": {"discovery": "UNKNOWN"}, "title": "Eclipse Parsson stack overflow with deeply nested objects", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "eclipse_foundation", "product": "parsson", "cpes": ["cpe:2.3:a:eclipse_foundation:parsson:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}, {"version": "1.1.0", "status": "affected", "lessThanOrEqual": "1.1.2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-18T13:26:07.187816Z", "id": "CVE-2023-7272", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T13:31:25.196Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:35.165Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:35.165Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-7272", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-18T13:26:07.187816Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:eclipse_foundation:parsson:*:*:*:*:*:*:*:*"], "vendor": "eclipse_foundation", "product": "parsson", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}, {"status": "affected", "version": "1.1.0", "versionType": "semver", "lessThanOrEqual": "1.1.2"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T13:28:40.493Z"}}], "cna": {"title": "Eclipse Parsson stack overflow with deeply nested objects", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "PJ Fanning"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eclipse Foundation", "product": "Parsson", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}, {"status": "affected", "version": "1.1.0", "versionType": "semver", "lessThanOrEqual": "1.1.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.", "supportingMedia": [{"type": "text/html", "value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-07-17T15:00:20.172Z"}}}, "cveMetadata": {"cveId": "CVE-2023-7272", "state": "PUBLISHED", "dateUpdated": "2024-08-02T08:57:35.165Z", "dateReserved": "2024-07-17T14:50:06.906Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-07-17T15:00:20.172Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:parsson:*:*:*:*:*:*:*:*", "matchCriteriaId": "60E3654D-D790-47C4-8422-35DA7C26CC78", "versionEndExcluding": "1.0.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:parsson:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6E85442-5345-483A-B2D9-CF0851B306DB", "versionEndExcluding": "1.1.3", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents."}, {"lang": "es", "value": "En Eclipse Parsson anterior a 1.0.4 y 1.1.3, un documento con una gran profundidad de objetos anidados puede permitir que un atacante provoque una excepci\u00f3n de desbordamiento de pila de Java y denegaci\u00f3n de servicio. Eclipse Parsson permite procesar (por ejemplo, analizar, generar, transformar y consultar) documentos JSON."}], "id": "CVE-2023-7272", "lastModified": "2025-02-06T18:07:45.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "emo@eclipse.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-17T15:15:10.457", "references": [{"source": "emo@eclipse.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "parsson: stack overflow when parsing deeply nested input", "id": "2298458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298458"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.", "A flaw was found in Eclipse Parsson. A document containing a large depth of nested objects may allow an attacker to cause a Java stack overflow exception, potentially leading to a denial of service."], "name": "CVE-2023-7272", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "org.eclipse.parsson.jakarta.json", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "org.eclipse.parsson.parsson", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.eclipse.parsson/parsson", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.eclipse.parsson-project", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.eclipse.parsson-project", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.eclipse.parsson/parsson", "product_name": "streams for Apache Kafka"}], "public_date": "2024-07-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-7272\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-7272\nhttps://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12"], "threat_severity": "Moderate"}