{ "threat_severity" : "Important", "public_date" : "2023-03-22T00:00:00Z", "bugzilla" : { "description" : "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", "id" : "2188542", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2188542" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-674", "details" : [ "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.", "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software." ], "affected_release" : [ { "product_name" : "CEQ 2.13.2-2", "release_date" : "2023-05-17T00:00:00Z", "advisory" : "RHSA-2023:3179", "cpe" : "cpe:/a:redhat:camel_quarkus:2.13", "package" : "json-smart" }, { "product_name" : "CEQ 2.7.1-1", "release_date" : "2023-05-17T00:00:00Z", "advisory" : "RHSA-2023:3193", "cpe" : "cpe:/a:redhat:camel_quarkus:2.7", "package" : "json-smart" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3610", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1686649756-1.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3622", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-0:2.401.1.1686680404-3.el8" }, { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2023-06-19T00:00:00Z", "advisory" : "RHSA-2023:3663", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-2-plugins-0:4.11.1686831822-1.el8" }, { "product_name" : "Red Hat AMQ Clients", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7697", "cpe" : "cpe:/a:redhat:amq_clients:2023_q4", "package" : "json-smart" }, { "product_name" : "Red Hat AMQ Streams 2.4.0", "release_date" : "2023-05-18T00:00:00Z", "advisory" : "RHSA-2023:3223", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat AMQ Streams 2.7.0", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3527", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "json-smart" }, { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2023-06-07T00:00:00Z", "advisory" : "RHSA-2023:3362", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "jenkins-2-plugins-0:4.10.1684982411-1.el8" }, { "product_name" : "RHINT Camel-K-1.10.1", "release_date" : "2023-06-28T00:00:00Z", "advisory" : "RHSA-2023:3906", "cpe" : "cpe:/a:redhat:camel_k:1", "package" : "json-smart" }, { "product_name" : "RHINT Camel-Springboot 3.18.3.P1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2099", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.18.3", "package" : "json-smart" }, { "product_name" : "RHINT Camel-Springboot 3.18.3.P2", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3641", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.18", "package" : "json-smart" }, { "product_name" : "RHINT Camel-Springboot 3.20.1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2100", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1", "package" : "json-smart" }, { "product_name" : "Streams for Apache Kafka 2.9.1", "release_date" : "2025-06-30T00:00:00Z", "advisory" : "RHSA-2025:9922", "cpe" : "cpe:/a:redhat:amq_streams:2.9::el9" }, { "product_name" : "Streams for Apache Kafka 3.0.0", "release_date" : "2025-08-01T00:00:00Z", "advisory" : "RHSA-2025:12511", "cpe" : "cpe:/a:redhat:amq_streams:3.0::el9" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:a_mq_clients:2", "impact" : "low" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:amq_broker:7", "impact" : "low" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/pluginregistry-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-1370\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1370\nhttps://github.com/advisories/GHSA-493p-pfq6-5258\nhttps://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/" ], "name" : "CVE-2023-1370", "csaw" : false }