CVE-2023-4043

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.


To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
eclipseCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
eclipseparsson
𝑥
< 1.0.5
eclipseparsson
1.1.0 ≤
𝑥
< 1.1.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/eclipse-ee4j/parsson/pull/100
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13
https://github.com/eclipse-ee4j/parsson/pull/100
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13