#VU80782 Deserialization of Untrusted Data in Apache Johnzon - CVE-2023-33008


| Updated: 2024-08-27

Vulnerability identifier: #VU80782

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-33008

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Johnzon
Other software / Other software solutions

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted JSON input that uses large numbers (numbers such as 1e20000000) to the application and perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Johnzon: 0.9.4 - 1.2.20

External links
https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


IBM InfoSphere Master Data Management update for Apache Johnzon
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Deserialization of untrusted data in IBM DataPower Operations Dashboard
Deserialization of untrusted data in IBM Business Automation Workflow
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Multiple vulnerabilities in Red Hat support for Spring Boot
Multiple vulnerabilities in Red Hat AMQ Broker
Multiple vulnerabilities in Red Hat Integration Camel for Spring Boot 4.0
Deserialization of untrusted data in IBM Robotic Process Automation
Deserialization of untrusted data in IBM App Connect Enterprise