[Bugs] [Bug 13545] New: [CVE 21] johnzon 0.9.4 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13545

          Platform: 2021.1
            Bug ID: 13545
           Summary: [CVE 21] johnzon 0.9.4  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-33008,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package johnzon version 0.9.4

INFO (CVEs are): johnzon 0.9.4
 cves found
CVE-2023-33008
Desc: Deserialization of Untrusted Data vulnerability in Apache Software
Foundation Apache Johnzon.


A malicious attacker can craft up some JSON input that uses large numbers
(numbers such as 1e20000000) that Apache Johnzon will deserialize into
BigDecimal and maybe use numbers too large which may result in a slow
conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by
setting a scale limit of 1000 (by default) to the BigDecimal. 


This issue affects Apache Johnzon: through 1.2.20.


Link: https://nvd.nist.gov/vuln/detail/CVE-2023-33008
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/eabfdd45/attachment-0001.html>