{
  "threat_severity" : "Important",
  "public_date" : "2023-11-03T00:00:00Z",
  "bugzilla" : {
    "description" : "parsson: Denial of Service due to large number parsing",
    "id" : "2254594",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2254594"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-834",
  "details" : [ "In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\nTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.", "A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected." ],
  "statement" : "Red Hat rates this as an important impact since one needs to process untrusted and if there is no sanitization a Denial of Service (DoS) may happen.",
  "affected_release" : [ {
    "product_name" : "Cryostat 2 on RHEL 8",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0530",
    "cpe" : "cpe:/a:redhat:cryostat:2::el8",
    "package" : "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-4"
  }, {
    "product_name" : "Cryostat 2 on RHEL 8",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0530",
    "cpe" : "cpe:/a:redhat:cryostat:2::el8",
    "package" : "cryostat-tech-preview/cryostat-operator-bundle:2.4.0-3"
  }, {
    "product_name" : "Cryostat 2 on RHEL 8",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0530",
    "cpe" : "cpe:/a:redhat:cryostat:2::el8",
    "package" : "cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-3"
  }, {
    "product_name" : "Cryostat 2 on RHEL 8",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0530",
    "cpe" : "cpe:/a:redhat:cryostat:2::el8",
    "package" : "cryostat-tech-preview/cryostat-rhel8:2.4.0-3"
  }, {
    "product_name" : "Cryostat 2 on RHEL 8",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0530",
    "cpe" : "cpe:/a:redhat:cryostat:2::el8",
    "package" : "cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-5"
  }, {
    "product_name" : "Cryostat 2 on RHEL 8",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0530",
    "cpe" : "cpe:/a:redhat:cryostat:2::el8",
    "package" : "cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-3"
  }, {
    "product_name" : "EAP 8.0.1",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0",
    "package" : "parsson",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.2.10.Final",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0722",
    "cpe" : "cpe:/a:redhat:quarkus:3.2::el8",
    "package" : "org.eclipse.parsson/parsson:1.1.5.redhat-00001"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1192",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-apache-sshd-0:2.12.0-1.redhat_00001.1.el8eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1192",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-eclipse-jgit-0:6.6.1.202309021850-1.r_redhat_00001.1.el8eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1192",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-log4j-0:2.19.0-2.redhat_00001.1.el8eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1192",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-lucene-solr-0:8.11.2-2.redhat_00001.1.el8eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1192",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-parsson-0:1.1.5-1.redhat_00001.1.el8eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1192",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
    "package" : "eap8-wildfly-0:8.0.1-3.GA_redhat_00002.1.el8eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1193",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-apache-sshd-0:2.12.0-1.redhat_00001.1.el9eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1193",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-eclipse-jgit-0:6.6.1.202309021850-1.r_redhat_00001.1.el9eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1193",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-log4j-0:2.19.0-2.redhat_00001.1.el9eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1193",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-lucene-solr-0:8.11.2-2.redhat_00001.1.el9eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1193",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-parsson-0:1.1.5-1.redhat_00001.1.el9eap",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
    "release_date" : "2024-03-06T00:00:00Z",
    "advisory" : "RHSA-2024:1193",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
    "package" : "eap8-wildfly-0:8.0.1-3.GA_redhat_00002.1.el9eap",
    "impact" : "moderate"
  }, {
    "product_name" : "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0789",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3",
    "package" : "parsson"
  }, {
    "product_name" : "RHINT Camel-Springboot 4.0.3",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0793",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4.0.3",
    "package" : "parsson"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Not affected",
    "package_name" : "parsson",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Not affected",
    "package_name" : "parsson",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Will not fix",
    "package_name" : "parsson",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "parsson",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/pluginregistry-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Not affected",
    "package_name" : "parsson",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-4043\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4043" ],
  "name" : "CVE-2023-4043",
  "mitigation" : {
    "value" : "Avoid processing untrusted sources content in order to minimize the chance for Denial of Service attack.",
    "lang" : "en:us"
  },
  "csaw" : false
}