There is a DoS vulnerability in the latest version 2.1.2 of jakartaee/jsonp-api

Basic information

Project name: jakartaee/jsonp-api

Project id: https://projects.eclipse.org/projects/ee4j.jsonp

What are the affected versions?

Not specified

Details of the issue

This issues has been reported to the security@ mailing list

I have discovered a DoS (Denial of Service) vulnerability in the latest version 2.1.2 of jakartaee/jsonp-api(https://projects.eclipse.org/projects/ee4j.jsonp、https://github.com/jakartaee/jsonp-api).The demo test code is as follows:


import jakarta.json.Json;
import jakarta.json.JsonArray;
import java.math.BigDecimal;

 

xxxxx

 

JsonArray array = Json.createArrayBuilder()
        .add(new BigDecimal("1e99999999"))
        .build();
array.getJsonNumber(0).bigIntegerValue();

The cause is that when processing BigDecimal, passing in a number that is too large (such as 1e99999999) will cause a lot of additional resources to be used for processing. If the user can control the input content data, for example, by calling Json.createArrayBuilder().add(data), it can cause a DoS issue.

Do you know any mitigations of the issue?

Not known

Edited by Marta Rybczynska

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent