#VU77102 Stack-based buffer overflow in hutool - CVE-2022-45688

Cybersecurity Help s.r.o.

Published: 2023-06-08

Vulnerability identifier: #VU77102

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-45688

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
hutool
Other software / Other software solutions

Vendor: Dromara

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists in the XML.toJSONObject component. A remote unauthenticated attacker can send a specially crafted JSON or XML data, trigger stack-based buffer overflow and perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

hutool: 5.8.10

External links
https://github.com/dromara/hutool/issues/2748
https://github.com/stleary/JSON-java/issues/708

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring (UOCAM)

Multiple vulnerabilities in IBM Storage Copy Data Management

Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component

IBM B2B Sterling Integrator update for Hutool

Multiple vulnerabilities in Dell ObjectScale

Multiple vulnerabilities in IBM Sterling Connect:Direct Web Services

Multiple vulnerabilities in Oracle Solaris Cluster

Multiple vulnerabilities in Oracle Communications Cloud Native Core Service Communication Proxy

Jira Software Data Center and Server update for json

Stack-based buffer overflow in IBM Sterling Partner Engagement Manager