jakartaee/parsson: DoS vulnerability
The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.
Basic information
Project name: eclipse-ee4j/parsson
Project id: {id}
Request type: reservation/publication
Versions affected: before 1.1.4 and 1.0.5 (those two are not affected)
Common Weakness Enumeration:
Common Vulnerability Scoring System: {cvss} CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (with base score 5.1)
Summary:
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
Credits: Yuan Tian
Links:
Tracking
This section will completed by the project team.
- Reserve an entry only
- We're ready for this issue to be reported to the central authority (i.e., make this public now)
- (when applicable) The GitHub Security Advisory is ready to be published now
Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.
This section will be completed by the EMO.
CVE: {cve}
- All required information is provided
- CVE Assigned
- Pushed to Mitre
- Accepted by Mitre
Activity
assigned to @mbarbero, @mrybczyn, @ljungmann, and @yuanyuan
@ljungmann @yuanyuan what I need from you is the summary (as this is resolved know, you know better what was the cause reason), affected versions. If you are able to figure out CWE (weekness type) and CVSS (score), that's better. If you have a problem with that I will do it myself.
I think what was written earlier that affected jakartaee/jsonp-api was wrong and fundamentally affected eclipse-ee4j/parsson.I calculate CWE (CWE - 20: Improper Input Validation) and CVSS (High CVSS 7.5:3.0 / AV: N/AC: L/PR: N/UI: N/S: U/C: N/I: N/A: H), because not A professional, for reference only
keep in mind that parsson is a split up from jsonp-ri. Before the split, the code of the implementation has lived in the jsonp-api repository and used to be released in
org.glassfish:jakarta.jsonmaven artifact (up to Java EE 8/Jakarta EE 8). Having said that, all versions oforg.glassfish:jakarta.jsonare affected too and users should be encouraged to move to parssonDescription:
Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
mentioned in issue vulnerability-reports#13 (closed)
@yuanyuan how would you like to be mentioned in the credits (esp. which spelling of your name to use)?
For CWE I propose you two (we can have more than one in the issue):
CWE-20: Improper Input Validation https://cwe.mitre.org/data/definitions/20.html
CWE-834: Excessive Iteration https://cwe.mitre.org/data/definitions/834.html
Edited by Marta Rybczynska@ljungmann Thank you for the remark on Glassfish. I can see that Glassfish 7.0.7 has Parsson 1.1.3. Have you already have a process in place to tell them to update their Parsson version? (I mean in a coordinated disclosure manner)
Coordinated disclosure with Glassfish in https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/157 (Yuan Tian, haven't added it here, it's for the Glassfish team information)
