CVE-2023-4043

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

Published: Nov 3, 2023
Updated: May 10, 2024
CVE: CVE-2023-4043
GHSA: GHSA-g8p6-p27c-52fx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-20
CWE-834

Affected Software
References

Software	From	Fixed in
org.eclipse.parsson / project	1.1.0	1.1.4
org.eclipse.parsson / project	-	1.0.5
eclipse / parsson	-	1.0.5
eclipse / parsson	1.1.0	1.1.4

https://github.com/eclipse-ee4j/parsson/pull/100
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13

Vulnerability Database

289,599

CVE-2023-4043