CVE-2023-5072
published 2023-10-12CVE-2023-5072: Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.45%
70.0th percentile
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | bitbucket_data_center | — | — |
| debian | jenkins-json | < libjson-java 3.1.0+dfsg-1 (forky) | libjson-java 3.1.0+dfsg-1 (forky) |
| debian | libjettison-java | < libjson-java 3.1.0+dfsg-1 (forky) | libjson-java 3.1.0+dfsg-1 (forky) |
| debian | libjson-java | < libjson-java 3.1.0+dfsg-1 (forky) | libjson-java 3.1.0+dfsg-1 (forky) |
| jenkins | deployment_dashboard_plugin | — | — |
| jenkins | dingding_json_pusher_plugin | — | — |
| jenkins | htmlresource_plugin | — | — |
| jenkins | nexus_platform_plugin | — | — |
| jenkins | openid_connect_authentication_plugin | — | — |
| jenkins | paaslane_estimate_plugin | — | — |
| jenkins | scriptler_plugin | — | — |
| jenkins | synopsys_rapid_scan_static_is_the_only_plugin | — | — |
| stleary | json-java | <= 20230618 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Systems Risk Matrix: Tools (JSON-java) — CVE-2023-5072
vendor_oracle·2024-10-15·CVSS 7.5
CVE-2023-5072 [HIGH] Oracle Oracle Systems Risk Matrix: Tools (JSON-java) — CVE-2023-5072
Oracle Oracle Systems Risk Matrix: Tools (JSON-java) vulnerability
CVE: CVE-2023-5072
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Discussion Forums (JSON-java) — CVE-2023-5072
vendor_oracle·2024-07-15·CVSS 7.5
CVE-2023-5072 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Discussion Forums (JSON-java) — CVE-2023-5072
Oracle Oracle Fusion Middleware Risk Matrix: Discussion Forums (JSON-java) vulnerability
CVE: CVE-2023-5072
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Database Server Risk Matrix: GraalVM Multilingual Engine — CVE-2023-5072
vendor_oracle·2024-04-15·CVSS 4.3
CVE-2023-5072 [HIGH] Oracle Oracle Database Server Risk Matrix: GraalVM Multilingual Engine — CVE-2023-5072
Oracle Oracle Database Server Risk Matrix: GraalVM Multilingual Engine vulnerability
CVE: CVE-2023-5072
CVSS: 4.3
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Atlassian
CVE-2023-5072: DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
vendor_atlassian·2024-01-16·CVSS 7.5
CVE-2023-5072 [HIGH] CVE-2023-5072: DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
CVE-2023-5072: DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
CVE: CVE-2023-5072
Severity: HIGH
Affected products: Bitbucket Data Center
Oracle
Oracle Oracle GoldenGate Risk Matrix: Oracle GoldenGate (JSON-java) — CVE-2023-5072
vendor_oracle·2024-01-15·CVSS 3.7
CVE-2023-5072 [HIGH] Oracle Oracle GoldenGate Risk Matrix: Oracle GoldenGate (JSON-java) — CVE-2023-5072
Oracle Oracle GoldenGate Risk Matrix: Oracle GoldenGate (JSON-java) vulnerability
CVE: CVE-2023-5072
CVSS: 3.7
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Jenkins
Jenkins Security Advisory 2023-12-13
vendor_jenkins·2023-12-13·CVSS 7.5
CVE-2023-5072 [HIGH] Jenkins Security Advisory 2023-12-13
Title: Jenkins Security Advisory 2023-12-13
Jenkins Security Advisory 2023-12-13
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Analysis Model API
Plugin
Deployment Dashboard
Plugin
Dingding JSON Pusher
Plugin
HTMLResource
Plugin
Nexus Platform
Plugin
OpenId Connect Authentication
Plugin
PaaSL
Red Hat
JSON-java: parser confusion leads to OOM
vendor_redhat·2023-10-12·CVSS 7.5
CVE-2023-5072 [HIGH] CWE-770 JSON-java: parser confusion leads to OOM
JSON-java: parser confusion leads to OOM
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
A flaw was found in the org.json package. A bug in the parser exists, and an input string may lead to undefined usage of memory, leading to an out-of-memory error, causing a denial of service (DoS).
Statement: This vulnerability may cause denial of service with a small string input, causing the server to be unresponsive easily, hence the Important impact.
Mitigation: No current mitigation is available for this flaw.
Package: JSON-java (OpenShift Serverless) - Not affected
Package: JSON-java (Red Hat Ansible Automation Platform 2) - Not affected
Package: JSON-ja
Debian
CVE-2023-5072: jenkins-json - Denial of Service in JSON-Java versions up to and including 20230618. A bug in...
vendor_debian·2023·CVSS 7.5
CVE-2023-5072 [HIGH] CVE-2023-5072: jenkins-json - Denial of Service in JSON-Java versions up to and including 20230618. A bug in...
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
Java: DoS Vulnerability in JSON-JAVA
ghsa·2023-11-14
CVE-2023-5072 [HIGH] CWE-358 Java: DoS Vulnerability in JSON-JAVA
Java: DoS Vulnerability in JSON-JAVA
### Summary
A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.
### Severity
High -
OSV
Java: DoS Vulnerability in JSON-JAVA
osv·2023-11-14
CVE-2023-5072 [HIGH] Java: DoS Vulnerability in JSON-JAVA
Java: DoS Vulnerability in JSON-JAVA
### Summary
A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.
### Severity
High -
OSV
CVE-2023-5072: Denial of Service in JSON-Java versions up to and including 20230618
osv·2023-10-12·CVSS 7.5
CVE-2023-5072 [HIGH] CVE-2023-5072: Denial of Service in JSON-Java versions up to and including 20230618
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2023-5072 JSON-java: parser confusion leads to OOM
bugzilla·2023-10-26·CVSS 7.5
CVE-2023-5072 [HIGH] CVE-2023-5072 JSON-java: parser confusion leads to OOM
CVE-2023-5072 JSON-java: parser confusion leads to OOM
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Discussion:
This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2023:7617 https://access.redhat.com/errata/RHSA-2023:7617
---
This issue has been addressed in the following products:
Red Hat AMQ Streams 2.6.0
Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
---
This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705
---
This issue has been addressed in the following products:
RHINT Camel-Springboot 4.
arXiv
A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits
arxiv_fulltext·2026-03
A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits
## Abstract
Open-source software supply chain security relies heavily on assessing affected versions of library vulnerabilities. While prior studies have leveraged exploits for verifying vulnerability affected versions, they point out a key limitation that exploits are version-specific and cannot be directly applied across library versions. Despite being widely acknowledged, this limitation has not been systematically validated at scale, leaving the actual applicability of exploits across versions unexplored. To fill this gap, we conduct the first large-scale empirical study on exploit applicability across library versions. We construct a comprehensive dataset consisting of 259 exploits spanning 128 Java libraries and 28,150 historical versions, covering 61 CWEs that account for 76.33% of
http://www.openwall.com/lists/oss-security/2023/12/13/4https://github.com/stleary/JSON-java/issues/758https://github.com/stleary/JSON-java/issues/771https://security.netapp.com/advisory/ntap-20240621-0007/http://www.openwall.com/lists/oss-security/2023/12/13/4https://github.com/stleary/JSON-java/issues/758https://github.com/stleary/JSON-java/issues/771https://security.netapp.com/advisory/ntap-20240621-0007/
2023-10-12
Published