CVE-2021-27568: Infoleak
First published: Tue Feb 23 2021(Updated: )
A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability. In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Json-smart Project Json-smart-v1 | <1.3.2 | |
| Json-smart Project Json-smart-v2 | <2.3.1 | |
| Json-smart Project Json-smart-v2 | >=2.4<2.4.1 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle OSS Support Tools | <2.12.42 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Utilities Framework | =4.4.0.0.0 | |
| Oracle Utilities Framework | =4.4.0.2.0 | |
| Oracle Utilities Framework | =4.4.0.3.0 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| redhat/json-smart | <1.3.2 | 1.3.2 |
| redhat/json-smart | <2.4.1 | 2.4.1 |
| IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
| IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-27568 https://nvd.nist.gov/vuln/detail/CVE-2021-27568
- https://bugzilla.redhat.com/show_bug.cgi?id=1939839
- https://access.redhat.com/errata/RHSA-2021:3225
- https://access.redhat.com/errata/RHSA-2021:4918
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2021-27568
- https://github.com/netplex/json-smart-v1/issues/7
- https://github.com/netplex/json-smart-v2/issues/60
- https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/197316
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-27568?
CVE-2021-27568 is a vulnerability found in json-smart library that can cause program crashes or expose sensitive information when an exception is thrown from a function and not caught.
What is the severity of CVE-2021-27568?
CVE-2021-27568 has a severity rating of medium with a CVSS score of 5.9.
Which software versions are affected by CVE-2021-27568?
CVE-2021-27568 affects json-smart-v1 up to 1.3.2 and json-smart-v2 up to 2.4.1.
How can CVE-2021-27568 impact my system?
CVE-2021-27568 can potentially compromise data confidentiality and system availability.
Where can I find more information about CVE-2021-27568?
You can find more information about CVE-2021-27568 on the GitHub pages of json-smart-v1 and json-smart-v2, as well as the Red Hat Security Advisory RHSA-2021:3225.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-27568
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- vendor/json-smart project
- canonical/json-smart project json-smart-v1
- canonical/json-smart project json-smart-v2
- version/json-smart project json-smart-v2/2.4
- vendor/oracle
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle oss support tools
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle utilities framework
- version/oracle utilities framework/4.4.0.0.0
- version/oracle utilities framework/4.4.0.2.0
- version/oracle utilities framework/4.4.0.3.0
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- package-manager/redhat
- vendor/ibm
- canonical/ibm ibm® engineering requirements management doors
- version/ibm ibm® engineering requirements management doors/9.7.2.7
- canonical/ibm ibm® engineering requirements management doors web access
- version/ibm ibm® engineering requirements management doors web access/9.7.2.7