CVE-2022-40149 — Stack-based Buffer Overflow in Jettison

CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write12 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libjettison-java Jettison Jettison Project Jettison +2 more

Timeline

PublishedSep 16

Latest updateMar 19

Description

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/libjettison-java< libjettison-java 1.5.1-1 (bookworm)

▶CVEListV5jettison/jettisonunspecified — 1.4.0

▶NVDjettison_project/jettison1.4.0

▶atlassianatlassian/jira_software

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

GHSA

Jettison parser crash by stackoverflow↗2023-08-01

▶

OSV

Jettison parser crash by stackoverflow↗2023-08-01

▶

OSV

Jettison parser crash by stackoverflow↗2022-09-17

▶

GHSA

Jettison parser crash by stackoverflow↗2022-09-17

▶

OSV

CVE-2022-40149: Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS)↗2022-09-16

▶

📋Vendor Advisories

Atlassian

CVE-2022-40149: DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server↗2024-03-19

▶

Ubuntu

Jettison vulnerabilities↗2023-06-19

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Build Scripts (Jettison) — CVE-2022-40149↗2023-04-15

▶

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Security (Jettison) — CVE-2022-40149↗2023-01-15

▶

Red Hat

jettison: parser crash by stackoverflow↗2022-09-20

▶