CVE-2023-33008

Apache Johnzon: Prevent inefficient internal conversion from BigDecimal at large scale

Description

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

References

Link	Tags
https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l	vendor advisory mailing list issue tracking

Frequently Asked Questions

What is the severity of CVE-2023-33008?: CVE-2023-33008 has been scored as a medium severity vulnerability.
How to fix CVE-2023-33008?: To fix CVE-2023-33008, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-33008 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-33008 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-33008?: CVE-2023-33008 affects Apache Software Foundation Apache Johnzon.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions