CVE-2023-1370 — json-smart Uncontrolled Recursion vulnerability

Description

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

How to fix CVE-2023-1370

To remediate CVE-2023-1370, upgrade the affected package to a fixed version below.

—upgrade to 2.2-2+deb11u1 or later
—upgrade to 2.4.9 or later

Is CVE-2023-1370 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.2-2+deb11u1
from 0, < 2.4.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-1370
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-1370
PATCHgithub.com/oswaldobapvicjr/jsonmerge
WEBgithub.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a