CVE-2021-31684
Description
A denial of service vulnerability in JSON Smart's indexOf function allows crafted web requests to cause an ArrayIndexOutOfBoundsException, leading to application crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in JSON Smart's indexOf function allows crafted web requests to cause an ArrayIndexOutOfBoundsException, leading to application crash.
Vulnerability
The indexOf function in JSONParserByteArray in JSON Smart versions 1.3 and 2.4 is vulnerable to an ArrayIndexOutOfBoundsException when processing specially crafted JSON input. This flaw can be triggered remotely via a web request, resulting in a denial of service (DoS) condition [1][2][3].
Exploitation
An attacker can exploit this vulnerability by sending a crafted web request containing malicious JSON data to an application that uses the vulnerable JSON Smart library. No authentication or special privileges are required; the attack is network-based and can be performed remotely.
Impact
Successful exploitation causes the application to crash due to an unhandled ArrayIndexOutOfBoundsException, leading to a denial of service. This impacts the availability of the affected service, though no data integrity or confidentiality is compromised.
Mitigation
Fixes are available in pull requests for both affected versions: for JSON Smart v1, see [3]; for v2, see [1]. Users should update to patched versions (e.g., v1.4 or later for v1, and v2.4.1 or later for v2) as soon as possible. The NVD entry [2] provides additional details and links to advisories.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.minidev:json-smartMaven | >= 1.3.0, < 1.3.3 | 1.3.3 |
net.minidev:json-smartMaven | >= 2.4.0, < 2.4.4 | 2.4.4 |
Affected products
17- JSON Smart/JSON Smartdescription
- osv-coords16 versionspkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/spark-3.5.0-compatpkg:apk/chainguard/spark-3.5.0-compat-minimalpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:maven/net.minidev/json-smart
< 0.6.3-r7+ 15 more
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 3.3.6-r7
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: >= 1.3.0, < 1.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-fg2v-w576-w4v3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-31684ghsaADVISORY
- github.com/netplex/json-smart-v1/issues/10ghsaWEB
- github.com/netplex/json-smart-v1/pull/11ghsaWEB
- github.com/netplex/json-smart-v2/issues/67ghsaWEB
- github.com/netplex/json-smart-v2/pull/68ghsaWEB
- lists.debian.org/debian-lts-announce/2023/03/msg00030.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20240621-0006ghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006/mitre
News mentions
0No linked articles in our index yet.