CVE-2023-33008 — Apache Johnzon Deserialization of Untrusted Data vulnerability

Description

A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon through 1.2.20.

How to fix CVE-2023-33008

To remediate CVE-2023-33008, upgrade the affected package to a fixed version below.

—upgrade to 1.2.21 or later

Is CVE-2023-33008 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33008
PATCHgithub.com/apache/johnzon
WEBgithub.com/apache/johnzon/commit/34ad9a6b296ae7b4667c3cf0037998e451499ea4
WEBissues.apache.org/jira/browse/JOHNZON-397
WEB