CVE-2023-4043 MEDIUM

CVE-2023-4043: Parsson DoS when parsing numbers from untrusted sources

Vendor Eclipse Foundation

Product Parsson

Weakness CWE-20 · Input validation

Published November 3, 2023

Last update September 5, 2024

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

Key dates

02Disclosure timeline

November 3, 2023 CVE published

September 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-4043

Related vulnerabilities

Identifiers

CVE CVE-2023-4043

CWE CWE-20

CVSS 5.9 / MEDIUM

Affected versions

Vendor Eclipse Foundation

Product Parsson

Affected < 1.0.5

Vendor Eclipse Foundation

Product Parsson

Affected ≥ 1.1.0 and < 1.1.4

CVE-2023-4043: Parsson DoS when parsing numbers from untrusted sources

01Description

02Disclosure timeline

03References

04Related CVE