CVE-2023-33008
Last modified
CVE-2023-33008 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. EPSS estimates a 1.10% chance of exploitation in the next 30 days.
Description
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Johnzon | < 1.2.21 |
References
- https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43lIssue Tracking, Mailing List, Vendor Advisory
- https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43lIssue Tracking, Mailing List, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-33008?
How severe is CVE-2023-33008?
How do I fix CVE-2023-33008?
Are you affected by CVE-2023-33008?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST