CVE-2013-3300

Description

The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a < (less than) character.

How to fix CVE-2013-3300

To remediate CVE-2013-3300, upgrade the affected package to a fixed version below.

• Maven/net.liftweb:lift-webkit—no fix listed
• Maven/net.liftweb:lift-webkit_2.7.7—no fix listed
• —no fix listed
• —no fix listed
• —no fix listed
• —no fix listed
• —no fix listed
• —upgrade to 2.5 or later

Is CVE-2013-3300 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0
• from 0
• from 0
• from 0
• from 0
• from 0
• from 0
• from 0, < 2.5

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-3300
• PATCHgithub.com/lift/framework
• WEBblog.addepar.com/2013/07/an-atypical-web-vulnerability.html
• WEBgithub.com/lift/framework/commit/099d9c86cf6d81f4953957add478ab699946e601