CVE-2018-18855

Uncontrolled Resource Consumption in Spray JSON

發布日:2022/6/28修改日:2025/9/30

描述

Recursive decent parsers are susceptible too StackOverflowExceptions on too deeply nested structures as currently "open" parsing state is kept on the stack.

受影響套件(12)

Maven/io.spray:spray-json_2.10from 0, < 1.3.5
Maven/io.spray:spray-json_2.11from 0, < 1.3.5
Maven/io.spray:spray-json_2.11.0-RC4from 0
Maven/io.spray:spray-json_2.12from 0, < 1.3.5
Maven/io.spray:spray-json_2.12.0-M3from 0
Maven/io.spray:spray-json_2.12.0-M5from 0
Maven/io.spray:spray-json_2.12.0-RC1from 0
Maven/io.spray:spray-json_2.12.0-RC2from 0
Maven/io.spray:spray-json_2.13.0-M2from 0
Maven/io.spray:spray-json_2.13.0-M4from 0
Maven/io.spray:spray-json_2.13.0-M5from 0, < 1.3.5
Maven/io.spray:spray-json_2.9.3from 0

參考連結(3)

PATCHhttps://github.com/spray/spray-json
WEBhttps://github.com/spray/spray-json/pull/284
WEBhttps://security.snyk.io/vuln/SNYK-JAVA-IOSPRAY-72601