Bug#1022553: libjettison-java: CVE-2022-40150
Salvatore Bonaccorso
carnil at debian.org
Sun Oct 23 20:15:23 BST 2022
Source: libjettison-java
Version: 1.4.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libjettison-java.
CVE-2022-40150[0]:
| Those using Jettison to parse untrusted XML or JSON data may be
| vulnerable to Denial of Service attacks (DOS). If the parser is
| running on user supplied input, an attacker may supply content that
| causes the parser to crash by Out of memory. This effect may support a
| denial of service attack.
This issue has not yet been fixed upstream at time of writing this
report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-40150
https://www.cve.org/CVERecord?id=CVE-2022-40150
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549
[2] https://github.com/jettison-json/jettison/issues/45
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list