Skip to main content

Allocation of Resources Without Limits or Throttling


Severity High
Score 7.5/10


Amazon Ion is a Java implementation of the Ion data notation. In versions prior to 1.10.5, a potential denial-of-service (DoS) attack issue exists in 'ion-java' for applications that use "ion-java" to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the "IonValue" model and then invoke certain "IonValue" methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the "IonValue" model, results in a StackOverflowError originating from the "ion-java" library. As a workaround, do not load data that originated from an untrusted source or that could have been tampered with.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Advisory Timeline

  • Published