There is a DoS vulnerability in the latest version 2.1.2 of jakartaee/jsonp-api

Basic information

Project name: jakartaee/jsonp-api

Project id: https://projects.eclipse.org/projects/ee4j.jsonp

What are the affected versions?

Not specified

Details of the issue

This issues has been reported to the security@ mailing list

I have discovered a DoS (Denial of Service) vulnerability in the latest version 2.1.2 of jakartaee/jsonp-api(https://projects.eclipse.org/projects/ee4j.jsonp、https://github.com/jakartaee/jsonp-api).The demo test code is as follows:


import jakarta.json.Json;
import jakarta.json.JsonArray;
import java.math.BigDecimal;

 

xxxxx

 

JsonArray array = Json.createArrayBuilder()
        .add(new BigDecimal("1e99999999"))
        .build();
array.getJsonNumber(0).bigIntegerValue();

The cause is that when processing BigDecimal, passing in a number that is too large (such as 1e99999999) will cause a lot of additional resources to be used for processing. If the user can control the input content data, for example, by calling Json.createArrayBuilder().add(data), it can cause a DoS issue.

Do you know any mitigations of the issue?

Not known

Edited Jul 13, 2023 by Marta Rybczynska

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information