{ "threat_severity" : "Important", "public_date" : "2025-02-05T00:00:00Z", "bugzilla" : { "description" : "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)", "id" : "2344073", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2344073" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-674", "details" : [ "A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.", "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370." ], "statement" : "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).", "affected_release" : [ { "product_name" : "HawtIO HawtIO 4.2.0", "release_date" : "2025-06-10T00:00:00Z", "advisory" : "RHSA-2025:8761", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4.2::el6", "package" : "json-smart" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10118", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-0:2.504.2.1750932984-3.el8" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10118", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1750933270-1.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10119", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-0:2.504.2.1750916374-3.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10119", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-2-plugins-0:4.13.1750916671-1.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10120", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-0:2.504.2.1750903189-3.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10120", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1750903529-1.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10104", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-0:2.504.2.1750856366-3.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10104", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-2-plugins-0:4.15.1750856638-1.el8" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10098", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-0:2.504.2.1750857144-3.el9" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10098", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-2-plugins-0:4.16.1750857315-1.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10097", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-0:2.504.2.1750851690-3.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10097", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-2-plugins-0:4.17.1750851950-1.el9" }, { "product_name" : "OCP-Tools-4.18-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10092", "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9", "package" : "jenkins-0:2.504.2.1750846524-3.el9" }, { "product_name" : "OCP-Tools-4.18-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10092", "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9", "package" : "jenkins-2-plugins-0:4.18.1750846854-1.el9" }, { "product_name" : "Red Hat build of Apache Camel 4.8.5 for Spring Boot", "release_date" : "2025-04-02T00:00:00Z", "advisory" : "RHSA-2025:3543", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.8.5", "package" : "json-smart" }, { "product_name" : "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "release_date" : "2025-04-02T00:00:00Z", "advisory" : "RHSA-2025:3541", "cpe" : "cpe:/a:redhat:camel_quarkus:3.15", "package" : "quarkus-camel-bom" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "quarkus-cxf-bom", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Will not fix", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "json-smart-action", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "net.minidev-json-smart", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "json-smart-action", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "net.minidev-json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "net.minidev-json-smart", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Will not fix", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "json-smart-action", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "net.minidev-json-smart", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "json-smart", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-57699\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-57699\nhttps://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699\nhttps://nvd.nist.gov/vuln/detail/cve-2023-1370" ], "name" : "CVE-2024-57699", "mitigation" : { "value" : "Red Hat Product Security does not have a recommended mitigation at this time.", "lang" : "en:us" }, "csaw" : false }