Moderate severityNVD Advisory· Published Jul 7, 2023· Updated Oct 7, 2024
Apache Johnzon: Prevent inefficient internal conversion from BigDecimal at large scale
CVE-2023-33008
Description
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.
A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal.
This issue affects Apache Johnzon: through 1.2.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.johnzon:johnzon-mapperMaven | < 1.2.21 | 1.2.21 |
Affected products
2- Apache Software Foundation/Apache Johnzonv5Range: 0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-crqg-jrpj-fc84ghsaADVISORY
- lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43lghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-33008ghsaADVISORY
- github.com/apache/johnzon/commit/34ad9a6b296ae7b4667c3cf0037998e451499ea4ghsaWEB
- issues.apache.org/jira/browse/JOHNZON-397ghsaWEB
News mentions
0No linked articles in our index yet.