CVE-2022-40150

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

Published: Sep 16, 2022
Updated: Jul 14, 2023
CVE: CVE-2022-40150
GHSA: GHSA-x27m-9w8j-5vcw
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400
CWE-674

Affected Software
References

Software	From	Fixed in
jettison_project / jettison	-	1.4.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
org.codehaus.jettison / jettison	-	1.5.2

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549
https://github.com/jettison-json/jettison/issues/45
https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html
https://www.debian.org/security/2023/dsa-5312

Vulnerability Database

CVE-2022-40150