Description

Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Remediation

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083

https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x

https://github.com/FasterXML/jackson-dataformats-text/pull/398

Related Vulnerabilities

CVE-2023-46122 Vulnerability in maven package org.scala-sbt:io_3

CVE-2022-33140 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-framework

CVE-2022-2048 Vulnerability in maven package org.eclipse.jetty.http2:http2-server

CVE-2022-37423 Vulnerability in maven package org.neo4j.procedure:apoc

CVE-2022-21704 Vulnerability in npm package log4js

Severity

High

Classification

CWE-787 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Patch Third Party Advisory Release Notes