#VU85304 Excessive Iteration in parsson


Published: 2024-01-11

Vulnerability identifier: #VU85304

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4043

CWE-ID: CWE-834

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
parsson
Other software / Other software solutions

Vendor: Eclipse EE4J

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. A remote attacker can trigger excessive iteration and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

parsson: 1.0.0 - 1.1.3

External links
http://github.com/eclipse-ee4j/parsson/pull/100
http://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools
Multiple vulnerabilities in Communications Service Catalog and Design
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 8.0
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 8.0
Excessive Iteration in IBM Event Processing
Excessive Iteration in IBM Event Endpoint Management
Multiple vulnerabilities in Red Hat build of Quarkus 3.2
Multiple vulnerabilities in Red Hat build of Quarkus
Multiple vulnerabilities in Red Hat Integration Camel for Spring Boot 4.0