CVE-2021-23900 — Uncaught Exception leading to Denial of Service in json-sanitizer

Description

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.

How to fix CVE-2021-23900

To remediate CVE-2021-23900, upgrade the affected package to a fixed version below.

Maven/com.mikesamuel:json-sanitizer—upgrade to 1.2.2 or later

Is CVE-2021-23900 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23900
WEBgithub.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
WEBgithub.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
WEBgroups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0