CVE-2023-5072: DoS Vulnerability in JSON-Java
First published: Thu Oct 12 2023(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. ## Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Json-java Project Json-java | <=20230618 | |
| maven/org.json:json | <=20230618 | 20231013 |
| redhat/org.json | <20231013 | 20231013 |
| IBM Cognos Analytics | <=12.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
| <=20230618 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/stleary/JSON-java/issues/758
- https://github.com/stleary/JSON-java/issues/771
- https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7
- https://nvd.nist.gov/vuln/detail/CVE-2023-5072
- https://github.com/stleary/JSON-java/pull/759
- https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb
- https://github.com/advisories/GHSA-4jq9-2xhw-jpx7 (Advisory)
- http://www.openwall.com/lists/oss-security/2023/12/13/4
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/268485
- https://www.ibm.com/support/pages/node/7149874 (Advisory)
- https://security.netapp.com/advisory/ntap-20240621-0007
- https://github.com/advisories/GHSA-rm7j-f5g5-27vv (Advisory)
- https://access.redhat.com/errata/RHSA-2023:7617
- https://access.redhat.com/errata/RHSA-2023:7678
- https://access.redhat.com/errata/RHSA-2023:7705
- https://access.redhat.com/errata/RHSA-2023:7842
- https://access.redhat.com/errata/RHSA-2023:7845
- https://access.redhat.com/errata/RHSA-2024:0148
- https://access.redhat.com/errata/RHSA-2024:1353
- https://access.redhat.com/errata/RHSA-2024:3354
- https://access.redhat.com/errata/RHSA-2024:3752
- https://access.redhat.com/errata/RHSA-2024:3762
- https://access.redhat.com/errata/RHSA-2024:4271
- https://bugzilla.redhat.com/show_bug.cgi?id=2246417
Frequently Asked Questions
What is CVE-2023-5072?
CVE-2023-5072 is a vulnerability that allows for a Denial of Service attack in JSON-Java versions prior to 20230618.
What is the severity of CVE-2023-5072?
CVE-2023-5072 has a severity rating of high, with a CVSS score of 7.5.
How does CVE-2023-5072 work?
CVE-2023-5072 exploits a bug in the JSON-Java parser, allowing an input string of modest size to consume excessive amounts of memory, leading to a Denial of Service condition.
How can I fix CVE-2023-5072?
To fix CVE-2023-5072, it is recommended to update JSON-Java to version 20230618 or later.
Are there any references for CVE-2023-5072?
You can find more information about CVE-2023-5072 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5072), [GitHub Issue 758](https://github.com/stleary/JSON-java/issues/758), [GitHub Issue 771](https://github.com/stleary/JSON-java/issues/771).
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-4jq9-2xhw-jpx7
- alias/CVE-2023-5072
- collector/github-advisory
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/weakness
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- source/GitHub
- alias/GHSA-rm7j-f5g5-27vv
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- agent/softwarecombine
- collector/nvd-cve
- collector/redhat-bugzilla
- source/Red Hat
- vendor/json-java project
- canonical/json-java project json-java
- version/json-java project json-java/20230618
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp2
- package-manager/redhat