CVE-2021-27568
Denial of Service vulnerability in net.minidev:json-smart
What is CVE-2021-27568 About?
This vulnerability in `json-smart` versions v1 and v2 is due to an uncaught exception (e.g., NumberFormatException) that can crash programs using the library. Its impact can range from denial of service to information exposure. Exploitation is relatively easy by crafting malformed JSON input.
Affected Software
- net.minidev:json-smart
- >2.4.0, <2.4.1
- <1.3.2
- >2.0.0, <2.3.1
- net.minidev:json-smart-mini
- <1.3.2
Technical Details
The vulnerability occurs in the `json-smart` library when processing malformed JSON input. Specifically, an exception like a `NumberFormatException` can be thrown during parsing or deserialization of certain numeric values or structures. The core issue is that this exception is not properly caught and handled within the library's functions. When an application uses `json-smart` and encounters such a malformed input, the uncaught exception propagates up the call stack, potentially leading to the termination of the application or process. This uncontrolled error behavior disrupts the normal execution flow and can expose sensitive debugging information or leave the application in an unstable state.
What is the Impact of CVE-2021-27568?
Successful exploitation may allow attackers to cause a denial of service by crashing the application, or potentially expose sensitive information through unhandled error messages.
What is the Exploitability of CVE-2021-27568?
Exploitation of this vulnerability is of low complexity, as it primarily involves supplying specially crafted malformed JSON input. No authentication is required for exploitation if the application processes untrusted JSON data. There are no specific privilege requirements on the target system. The vulnerability can be exploited remotely if the application accepts JSON input over a network. The primary prerequisite is the processing of attacker-controlled JSON data by a vulnerable version of `json-smart`. Risk factors include applications that expose JSON parsing endpoints to external users without robust input validation, making them susceptible to crashing or information leakage.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| arsalanraja987 | Link | Demo of CVE-2021-27568: Insecure randomness in token generation |
What are the Available Fixes for CVE-2021-27568?
Available Upgrade Options
- net.minidev:json-smart
- <1.3.2 → Upgrade to 1.3.2
- net.minidev:json-smart
- >2.0.0, <2.3.1 → Upgrade to 2.3.1
- net.minidev:json-smart
- >2.4.0, <2.4.1 → Upgrade to 2.4.1
- net.minidev:json-smart-mini
- <1.3.2 → Upgrade to 1.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396@%3Ccommits.druid.apache.org%3E
- https://github.com/netplex/json-smart-v1/issues/7
- https://nvd.nist.gov/vuln/detail/CVE-2021-27568
- https://github.com/netplex/json-smart-v2
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/netplex/json-smart-v1/commit/768db58ee0e3e344fcdb574b7629765308a1d0af
- https://github.com/netplex/json-smart-v2/issues/62
- https://github.com/netplex/json-smart-v2/issues/60
What are Similar Vulnerabilities to CVE-2021-27568?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-1000000 , CVE-2016-10707 , CVE-2015-2150 , CVE-2013-6460
