Uncontrolled Recursion in net.minidev:json-smart

CVE-2023-1370

net.minidev:json-smart
net.minidev:json-smart-mini

High

7.5/10

Summary

Json-smart is a performance-focused, JSON processor lib. When reaching a '[' or '{' character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects in versions prior to 2.4.9. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory Timeline

Published Mar 22, 2023

Uncontrolled Recursion in net.minidev:json-smart

CVE-2023-1370

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS