CVE-2023-5072
Denial of Service vulnerability in json (Maven)
What is CVE-2023-5072 About?
This is a denial of service vulnerability in JSON-Java that can lead to excessive memory consumption. A maliciously crafted input string can cause the parser to use indefinite amounts of memory, resulting in an OutOfMemoryError. Exploitation is straightforward with a specially constructed JSON input, allowing for easy service disruption.
Affected Software
Technical Details
The vulnerability stems from a parser bug in JSON-Java. Specifically, the parser fails to properly prevent a JSON object from being used as a key within another JSON object. When such a nested JSON object key is converted to a string, it undergoes an escaping process where backslashes are used to escape special characters, including other backslashes. By nesting JSON objects as keys repeatedly (e.g., {"a":1;\t\0{"a":1;\t\0{"a":1}:1}:1}), the number of backslashes generated during string conversion grows exponentially. This exponential increase in necessary escape characters rapidly consumes memory, leading to an OutOfMemoryError and thus a Denial-of-Service when processing even a moderately sized crafted input string.
What is the Impact of CVE-2023-5072?
Successful exploitation may allow attackers to cause a Denial-of-Service condition due to excessive memory consumption, leading to system instability, crashes, and unavailability of applications processing JSON data.
What is the Exploitability of CVE-2023-5072?
Exploitation of this vulnerability is relatively low in complexity, requiring only the ability to supply a specially crafted JSON string as input to the vulnerable JSON-Java parser. No authentication or specific privileges are required beyond the ability to submit JSON data to an application utilizing the library. This is typically a remote attack if the JSON input comes from an external source, but could also be local if an attacker can control local file input. The key prerequisite is that the application must be using an unpatched version of the JSON-Java library and processing untrusted JSON input. The risk factors are high for applications that deserialize JSON from external sources without proper input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-5072?
About the Fix from Resolved Security
The patch for CVE-2023-5072 ensures that after a comma or semicolon within a JSON object, parsing does not silently accept unexpected or truncated input (such as a null byte or end-of-string) and correctly throws a syntax error if the object does not properly end with a '}'. This prevents attackers from exploiting the parser to bypass input validation by crafting malformed JSON that would previously be accepted.
Available Upgrade Options
- org.json:json
- <20231013 → Upgrade to 20231013
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2023/12/13/4
- https://nvd.nist.gov/vuln/detail/CVE-2023-5072
- https://github.com/stleary/JSON-java/pull/759
- https://github.com/stleary/JSON-java/issues/758
- https://github.com/stleary/JSON-java/issues/771
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://osv.dev/vulnerability/GHSA-4jq9-2xhw-jpx7
- https://github.com/stleary/JSON-java/issues/758
- https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb
- https://github.com/stleary/JSON-java
What are Similar Vulnerabilities to CVE-2023-5072?
Similar Vulnerabilities: CVE-2019-13057 , CVE-2018-1000180 , CVE-2016-5386 , CVE-2015-8472 , CVE-2013-4122
