CVE-2023-1370 – Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON
https://notcve.org/view.php?id=CVE-2023-1370
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. • https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633 https://security.netapp.com/advisory/ntap-20240621-0006 https://access.redhat.com/security/cve/CVE-2023-1370 https://bugzilla.redhat.com/show_bug.cgi?id=2188542 • CWE-674: Uncontrolled Recursion •
CVE-2021-4329 – json-logic-js logic.js command injection
https://notcve.org/view.php?id=CVE-2021-4329
A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The patch is identified as c1dd82f5b15d8a553bb7a0cfa841ab8a11a9c227. • https://github.com/jwadhams/json-logic-js/commit/c1dd82f5b15d8a553bb7a0cfa841ab8a11a9c227 https://github.com/jwadhams/json-logic-js/pull/98 https://vuldb.com/?ctiid.222266 https://vuldb.com/?id.222266 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2022-45493
https://notcve.org/view.php?id=CVE-2022-45493
Buffer overflow vulnerability in function json_parse_key in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. • https://github.com/hyrathon/trophies/security/advisories/GHSA-r2mm-2f4c-6243 • CWE-787: Out-of-bounds Write •
CVE-2023-23088
https://notcve.org/view.php?id=CVE-2023-23088
Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0 fixed in v1.1.1 allows an attacker to execute arbitrary code via the json_value_parse function. • https://github.com/Barenboim/json-parser/issues/7 • CWE-787: Out-of-bounds Write •
CVE-2022-45491
https://notcve.org/view.php?id=CVE-2022-45491
Buffer overflow vulnerability in function json_parse_value in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. • https://github.com/hyrathon/trophies/security/advisories/GHSA-55fm-gm4m-3v3j https://github.com/sheredom/json.h/issues/94 • CWE-787: Out-of-bounds Write •