First published: Thu Oct 12 2023(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. ## Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
Affected Software | Affected Version | How to fix |
---|---|---|
Json-java Project Json-java | <=20230618 | |
maven/org.json:json | <=20230618 | 20231013 |
redhat/org.json | <20231013 | 20231013 |
IBM Cognos Analytics | <=12.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
<=20230618 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-5072 is a vulnerability that allows for a Denial of Service attack in JSON-Java versions prior to 20230618.
CVE-2023-5072 has a severity rating of high, with a CVSS score of 7.5.
CVE-2023-5072 exploits a bug in the JSON-Java parser, allowing an input string of modest size to consume excessive amounts of memory, leading to a Denial of Service condition.
To fix CVE-2023-5072, it is recommended to update JSON-Java to version 20230618 or later.
You can find more information about CVE-2023-5072 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5072), [GitHub Issue 758](https://github.com/stleary/JSON-java/issues/758), [GitHub Issue 771](https://github.com/stleary/JSON-java/issues/771).