Bug#1053883: jenkins-json: CVE-2023-5072
Pierre Gruet
pgt at debian.org
Sat Dec 14 22:28:33 GMT 2024
Dear Maintainer,
On Fri, 13 Oct 2023 15:26:55 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
<jmm at inutil.org> wrote:
> Source: jenkins-json
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for jenkins-json.
>
> CVE-2023-5072[0]:
> | Denial of Service in JSON-Java versions up to and including
> | 20230618. A bug in the parser means that an input string of modest
> | size can lead to indefinite amounts of memory being used.
>
> https://github.com/stleary/JSON-java/issues/758
> https://github.com/stleary/JSON-java/issues/771
> https://github.com/stleary/JSON-java/pull/772/
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-5072
> https://www.cve.org/CVERecord?id=CVE-2023-5072
>
> Please adjust the affected versions in the BTS as needed.
>
>
For the record:
https://www.jenkins.io/security/advisory/2023-12-13/
indicates that jenkins-json should be unaffected by the CVE, but I am
skeptical as it obviously embeds code from json-java. But I have not
found how to ask this simply.
One should try to see how jenkins-json behaves according to the
problematic test cases committed in
https://github.com/stleary/JSON-java/commit/dbb113176b143b519ad0a50b033a9997cc2248fe
(20231013)
https://github.com/stleary/JSON-java/commit/16967f322ee65c301b48fa79bb681e38896fd212
(20231013)
https://github.com/stleary/JSON-java/commit/661114c50dcfd53bb041aab66f14bb91e0a87c8a
(20231013)
to examine if it is vulnerable.
Best,
--
Pierre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20241214/db5c1a92/attachment.sig>
More information about the pkg-java-maintainers
mailing list