Stack-based buffer overflow in hutool

#VU77102 Stack-based buffer overflow in hutool

Published: 2023-06-08

Vulnerability identifier: #VU77102

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-45688

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
hutool
Other software / Other software solutions

Vendor: Dromara

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists in the XML.toJSONObject component. A remote unauthenticated attacker can send a specially crafted JSON or XML data, trigger stack-based buffer overflow and perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

hutool: 5.8.10

External links
http://github.com/dromara/hutool/issues/2748
http://github.com/stleary/JSON-java/issues/708

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Solaris Cluster

Multiple vulnerabilities in Oracle Communications Cloud Native Core Service Communication Proxy

Jira Software Data Center and Server update for json

Stack-based buffer overflow in IBM Sterling Partner Engagement Manager

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM Security Verify Access

Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for Hutool

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Multiple vulnerabilities in Oracle Business Process Management Suite