CVE-2021-27568
json-smart: uncaught exception may lead to crash or information disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Se detectó un problema en netplex json-smart-v1 hasta el 23-10-2015 y json-smart-v2 hasta 2.4. Una excepción es lanzada desde una función, pero no es detectada, como es demostrado por la función NumberFormatException. Cuando no se detecta, puede causar a los programas usando la biblioteca para bloquear o exponer información confidencial
A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability.
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package.
Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-23 CVE Reserved
- 2021-02-23 CVE Published
- 2024-07-29 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC
References (10)
| URL | Date | SRC |
|---|---|---|
| https://github.com/netplex/json-smart-v1/issues/7 | 2024-08-03 | |
| https://github.com/netplex/json-smart-v2/issues/60 | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-27568 | 2021-12-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1939839 | 2021-12-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Json-smart Project Search vendor "Json-smart Project" | Json-smart-v1 Search vendor "Json-smart Project" for product "Json-smart-v1" | < 1.3.2 Search vendor "Json-smart Project" for product "Json-smart-v1" and version " < 1.3.2" | - |
Affected
| ||||||
| Json-smart Project Search vendor "Json-smart Project" | Json-smart-v2 Search vendor "Json-smart Project" for product "Json-smart-v2" | < 2.3.1 Search vendor "Json-smart Project" for product "Json-smart-v2" and version " < 2.3.1" | - |
Affected
| ||||||
| Json-smart Project Search vendor "Json-smart Project" | Json-smart-v2 Search vendor "Json-smart Project" for product "Json-smart-v2" | >= 2.4 < 2.4.1 Search vendor "Json-smart Project" for product "Json-smart-v2" and version " >= 2.4 < 2.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Oss Support Tools Search vendor "Oracle" for product "Oss Support Tools" | < 2.12.42 Search vendor "Oracle" for product "Oss Support Tools" and version " < 2.12.42" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.3.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
| ||||||