CVE-2023-51084

Vulnerability

Description

hyavijava v6.0.07.1, a fork of the yavijava library for VMware vSphere, suffers from a stack overflow vulnerability in the ResultConverter.convert2Xml method. The issue manifests as an infinite recursion between the convertTable and convertTdValue methods, which leads to a java.lang.StackOverflowError [1][3]. This occurs when the input data contains deeply nested or cyclic structures that cause the conversion logic to keep calling itself without a proper termination condition.

Exploitation

The vulnerability can be triggered by supplying a specially crafted input to the ResultConverter.convert2Xml method. An attacker does not need authentication or other special privileges if they can control the input processed by this method. The stack overflow happens due to the recursive nature of the conversion logic, which does not handle deeply nested or self-referential data [1]. The error trace shows a recurring pattern of convertTable calling convertTdValue and vice versa, confirming the recursive loop.

Impact

Successful exploitation leads to a denial of service (DoS) condition, as the Java Virtual Machine (JVM) will terminate the thread with a StackOverflowError. This can crash the application or service using the hyavijava library, potentially disrupting operations. There is no evidence of remote code execution or privilege escalation; the primary impact is availability [3].

Mitigation

As of the publication date, no official patch has been released by the vendor; the project appears to be in dormant status [2]. Users are advised to limit exposure to untrusted input processed by the vulnerable method or implement input validation to prevent deeply nested data structures. Given the project's inactivity, migrating to alternative libraries (e.g., the original yavijava) may be a long-term solution.