hapi-fhir icon indicating copy to clipboard operation
hapi-fhir copied to clipboard

Published 20 hours ago • verified publisher icon hapifhir

CVE-2021-27568 (High) detected in json-smart-2.3.jar

Open mend-bolt-for-github[bot] opened this issue 3 years ago • 0 comments

CVE-2021-27568 - High Severity Vulnerability

Vulnerable Library - json-smart-2.3.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.minidev.net/

Path to dependency file: /hapi-fhir-jpaserver-base/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar

Dependency Hierarchy:

  • hapi-fhir-cli-api-6.2.0-PRE5-SNAPSHOT.jar (Root Library)
    • hapi-fhir-jpaserver-base-6.2.0-PRE5-SNAPSHOT.jar
      • json-path-2.5.0.jar
        • :x: json-smart-2.3.jar (Vulnerable Library)

Found in HEAD commit: b59f2d05a7d0fd10c7b03bb6f0ebf97757172a71

Found in base branch: master

Vulnerability Details

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

Publish Date: 2021-02-23

URL: CVE-2021-27568

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-23

Fix Resolution: net.minidev:json-smart-mini:1.3.2;net.minidev:json-smart:1.3.2,2.3.1,2.4.2;net.minidev:json-smart-action:2.3.1,2.4.2

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Feb 07 '22 20:02 mend-bolt-for-github[bot]