CVE-2021-31684
Denial of Service (DOS) vulnerability in net.minidev:json-smart
What is CVE-2021-31684 About?
This vulnerability in the `indexOf` function of JSON Smart's `JSONParserByteArray` can lead to a Denial of Service (DOS). By sending a specially crafted web request, an attacker can consume excessive resources, making the service unavailable. The ease of exploitation is moderate, as it requires knowledge of the specific function and input format.
Affected Software
- net.minidev:json-smart
- >1.3.0, <1.3.3
- >2.4.0, <2.4.4
Technical Details
The vulnerability resides in the `indexOf` function within the `JSONParserByteArray` component of JSON Smart versions prior to 1.3.3 and 2.4.5. A crafted web request containing specific input can trigger an inefficient operation or an infinite loop when processed by this function, leading to a resource exhaustion state and subsequently a Denial of Service (DOS). The attack vector involves sending a malformed JSON payload that specifically targets the logic of the `indexOf` function.
What is the Impact of CVE-2021-31684?
Successful exploitation may allow attackers to cause the affected service to become unavailable or unresponsive, leading to a Denial of Service condition.
What is the Exploitability of CVE-2021-31684?
Exploitation requires sending a specifically crafted web request to the vulnerable application. The complexity is moderate, as it involves understanding the internal workings of the `indexOf` function within `JSONParserByteArray` to create an effective payload. No authentication is likely required if the vulnerable component processes unauthenticated web requests. This is typically a remote attack. There are no special conditions beyond the crafted input itself, but the impact's severity depends on how frequently the vulnerable function is called with untrusted data. The likelihood increases if the application publicly exposes an endpoint that processes JSON data via the affected component.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-31684?
Available Upgrade Options
- net.minidev:json-smart
- >1.3.0, <1.3.3 → Upgrade to 1.3.3
- net.minidev:json-smart
- >2.4.0, <2.4.4 → Upgrade to 2.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/netplex/json-smart-v1/pull/11
- https://github.com/netplex/json-smart-v1/issues/10
- https://github.com/netplex/json-smart-v2/pull/68
- https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-31684
- https://github.com/netplex/json-smart-v2/issues/67
- https://www.oracle.com/security-alerts/cpujan2022.html
What are Similar Vulnerabilities to CVE-2021-31684?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2023-34035 , CVE-2018-8012 , CVE-2020-13936
