Description
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Remediation
References
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
https://github.com/jettison-json/jettison/issues/45
https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
https://www.debian.org/security/2023/dsa-5312
Related Vulnerabilities
CVE-2018-1000613 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on
CVE-2020-6532 Vulnerability in maven package org.webjars.npm:electron
CVE-2019-12814 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2017-7672 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2018-8038 Vulnerability in maven package org.apache.cxf.fediz:fediz-core