CVE-2023-5072Allocation of Resources Without Limits or Throttling in Jenkins-json

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-358Improperly Implemented Security Check for StandardCWE-400Uncontrolled Resource Consumption14 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.7%
top 27.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Debian Jenkins-jsonDebian Libjettison-javaDebian Libjson-java+10 more
Timeline
PublishedOct 12
Latest updateOct 15

Description

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages13 packages

debiandebian/libjson-java< libjson-java 3.1.0+dfsg-1 (forky)
NVDstleary/json-java20230618
debiandebian/jenkins-json< libjson-java 3.1.0+dfsg-1 (forky)
debiandebian/libjettison-java< libjson-java 3.1.0+dfsg-1 (forky)

🔴Vulnerability Details

3
GHSA
Java: DoS Vulnerability in JSON-JAVA2023-11-14
OSV
Java: DoS Vulnerability in JSON-JAVA2023-11-14
OSV
CVE-2023-5072: Denial of Service in JSON-Java versions up to and including 202306182023-10-12

📋Vendor Advisories

8
Oracle
Oracle Oracle Systems Risk Matrix: Tools (JSON-java) — CVE-2023-50722024-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Discussion Forums (JSON-java) — CVE-2023-50722024-07-15
Oracle
Oracle Oracle Database Server Risk Matrix: GraalVM Multilingual Engine — CVE-2023-50722024-04-15
Atlassian
CVE-2023-5072: DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server2024-01-16
Oracle
Oracle Oracle GoldenGate Risk Matrix: Oracle GoldenGate (JSON-java) — CVE-2023-50722024-01-15

📄Research Papers

1
arXiv
A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits2026-03