{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-5072", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-09-19T18:29:03.608Z", "datePublished": "2023-10-12T16:13:27.974Z", "dateUpdated": "2025-02-13T17:19:28.975Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "n/a", "vendor": "https://github.com/stleary/JSON-java", "versions": [{"lessThanOrEqual": "20230618", "status": "affected", "version": "0", "versionType": "date"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Denial of Service in </span><span style=\"background-color: rgb(255, 255, 255);\">JSON-Java versions up to and including 20230618. &nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><br>"}], "value": "Denial of Service in JSON-Java versions up to and including 20230618. \u00a0A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used."}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-06-21T19:08:23.050Z"}, "references": [{"url": "https://github.com/stleary/JSON-java/issues/758"}, {"url": "https://github.com/stleary/JSON-java/issues/771"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "source": {"discovery": "UNKNOWN"}, "title": "DoS Vulnerability in JSON-Java", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:53.789Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/stleary/JSON-java/issues/758", "tags": ["x_transferred"]}, {"url": "https://github.com/stleary/JSON-java/issues/771", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-21T16:23:55.801589Z", "id": "CVE-2023-5072", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T16:24:03.711Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/stleary/JSON-java/issues/758", "tags": ["x_transferred"]}, {"url": "https://github.com/stleary/JSON-java/issues/771", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:53.789Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-21T16:23:55.801589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T16:23:59.532Z"}}], "cna": {"title": "DoS Vulnerability in JSON-Java", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "https://github.com/stleary/JSON-java", "product": "n/a", "versions": [{"status": "affected", "version": "0", "versionType": "date", "lessThanOrEqual": "20230618"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/stleary/JSON-java/issues/758"}, {"url": "https://github.com/stleary/JSON-java/issues/771"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Denial of Service in JSON-Java versions up to and including 20230618. \u00a0A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Denial of Service in </span><span style=\"background-color: rgb(255, 255, 255);\">JSON-Java versions up to and including 20230618. &nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-06-21T19:08:23.050Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5072", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:19:28.975Z", "dateReserved": "2023-09-19T18:29:03.608Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2023-10-12T16:13:27.974Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:json-java_project:json-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "13919820-D849-4641-A7E6-6E01A01862F2", "versionEndIncluding": "20230618", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Denial of Service in JSON-Java versions up to and including 20230618. \u00a0A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used."}, {"lang": "es", "value": "Denegaci\u00f3n de Servicio (DoS) en versiones JSON-Java hasta 20230618 incluida. Un error en el analizador significa que una cadena de entrada de tama\u00f1o modesto puede provocar el uso de cantidades indefinidas de memoria."}], "id": "CVE-2023-5072", "lastModified": "2024-11-21T08:41:00.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-12T17:15:10.187", "references": [{"source": "cve-coordination@google.com", "url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"}, {"source": "cve-coordination@google.com", "tags": ["Issue Tracking"], "url": "https://github.com/stleary/JSON-java/issues/758"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/stleary/JSON-java/issues/771"}, {"source": "cve-coordination@google.com", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/stleary/JSON-java/issues/758"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/stleary/JSON-java/issues/771"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3752", "cpe": "cpe:/a:redhat:amq_broker:7.10", "package": "hawtio-war", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3762", "cpe": "cpe:/a:redhat:amq_broker:7.11", "package": "hawtio-war", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:4271", "cpe": "cpe:/a:redhat:amq_broker:7.12", "package": "hawtio-war", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2023:7678", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.6.0", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:7617", "cpe": "cpe:/a:redhat:camel_quarkus:3.2.0", "product_name": "Red Hat build of Apache Camel for Quarkus", "release_date": "2023-11-30T00:00:00Z"}, {"advisory": "RHSA-2024:3354", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "low", "package": "JSON-java", "product_name": "Red Hat Fuse 7.13.0", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:0148", "cpe": "cpe:/a:redhat:camel_k:1.10.5", "package": "JSON-java", "product_name": "RHINT Camel-K 1.10.5", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2023:7845", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.4", "package": "JSON-java", "product_name": "RHINT Camel-Springboot 3.20.4", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7842", "cpe": "cpe:/a:redhat:camel_spring_boot:4.0.2", "product_name": "RHINT Camel-Springboot 4.0.2", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2024:1353", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "JSON-java", "product_name": "RHPAM 7.13.5 async", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "JSON-java: parser confusion leads to OOM", "id": "2246417", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246417"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Denial of Service in JSON-Java versions up to and including 20230618. \u00a0A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.", "A flaw was found in the org.json package. A bug in the parser exists, and an input string may lead to undefined usage of memory, leading to an out-of-memory error, causing a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "No current mitigation is available for this flaw."}, "name": "CVE-2023-5072", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "JSON-java", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Affected", "package_name": "JSON-java", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "JSON-java", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "JSON-java", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "JSON-java", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "JSON-java", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "JSON-java", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "JSON-java", "product_name": "streams for Apache Kafka"}], "public_date": "2023-10-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5072\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5072\nhttps://github.com/stleary/JSON-java/issues/758\nhttps://github.com/stleary/JSON-java/issues/771"], "statement": "This vulnerability may cause denial of service with a small string input, causing the server to be unresponsive easily, hence the Important impact.", "threat_severity": "Important", "upstream_fix": "org.json 20231013"}