Allocation of Resources Without Limits or Throttling
CVE-2024-21634
Summary
Amazon Ion is a Java implementation of the Ion data notation. In versions prior to 1.10.5, a potential denial-of-service (DoS) attack issue exists in 'ion-java' for applications that use "ion-java" to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the "IonValue" model and then invoke certain "IonValue" methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the "IonValue" model, results in a StackOverflowError originating from the "ion-java" library. As a workaround, do not load data that originated from an untrusted source or that could have been tampered with.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
References
Advisory Timeline
- Published