swagger-codegen icon indicating copy to clipboard operation
swagger-codegen copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

WS-2017-3805 (High) detected in json-20140107.jar

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

WS-2017-3805 - High Severity Vulnerability

Vulnerable Library - json-20140107.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/ 

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.

	The package compiles on Java 1.2 thru Java 1.4.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /samples/client/petstore/java/retrofit/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20140107/d1ffca6e2482b002702c6a576166fd685e3370e3/json-20140107.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20140107/d1ffca6e2482b002702c6a576166fd685e3370e3/json-20140107.jar

Dependency Hierarchy:

  • org.apache.oltu.oauth2.client-1.0.1.jar (Root Library)
    • org.apache.oltu.oauth2.common-1.0.1.jar
      • :x: json-20140107.jar (Vulnerable Library)

Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed

Found in base branch: master

Vulnerability Details

Affected versions of JSON In Java are vulnerable to Denial of Service (DoS) when trying to initialize a JSONArray object and the input is [. This will cause the jvm to crash with StackOverflowError due to non-cyclical stack overflow.

Publish Date: 2017-10-30

URL: WS-2017-3805

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-10-30

Fix Resolution: org.json:json:20180130

mend-for-github-com[bot] avatar Jul 21 '22 03:07 mend-for-github-com[bot]