cvelistv5 - cve-2023-3894

CVE-2023-3894 (GCVE-0-2023-3894)

Vulnerability from cvelistv5

Published

2023-08-08 16:59

Modified

2024-09-27 16:07

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Summary

Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

References

►

URL

	Vendor	Product	Version
	FasterXML	jackson-dataformats-text	Version: 0 < 2.15.0

fkie_cve-2023-3894

Vulnerability from fkie_nvd

Published

2023-08-08 18:15

Modified

2024-11-21 08:18

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cve-coordination@google.com	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083	Issue Tracking, Patch, Third Party Advisory
cve-coordination@google.com	https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x	Release Notes
cve-coordination@google.com	https://github.com/FasterXML/jackson-dataformats-text/pull/398	Patch
af854a3a-2127-422b-91ae-364da2661108	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/FasterXML/jackson-dataformats-text/pull/398	Patch

Impacted products

	Vendor	Product	Version
	fasterxml	jackson-dataformats-text	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-dataformats-text:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EA5DD6F-240A-4691-B691-1D38B8B4165A",
              "versionEndExcluding": "2.15.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n"
    }
  ],
  "id": "CVE-2023-3894",
  "lastModified": "2024-11-21T08:18:18.677",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "cve-coordination@google.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-08-08T18:15:24.297",
  "references": [
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/FasterXML/jackson-dataformats-text/pull/398"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/FasterXML/jackson-dataformats-text/pull/398"
    }
  ],
  "sourceIdentifier": "cve-coordination@google.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "cve-coordination@google.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

opensuse-su-2024:13151-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

jackson-dataformat-csv-2.15.2-1.1 on GA media

Notes

Title of the patch

jackson-dataformat-csv-2.15.2-1.1 on GA media

Description of the patch

These are all security issues fixed in the jackson-dataformat-csv-2.15.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13151

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "jackson-dataformat-csv-2.15.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the jackson-dataformat-csv-2.15.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13151",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13151-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-1471 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-1471/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-3894 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-3894/"
      }
    ],
    "title": "jackson-dataformat-csv-2.15.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13151-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-dataformat-csv-2.15.2-1.1.aarch64",
                "product": {
                  "name": "jackson-dataformat-csv-2.15.2-1.1.aarch64",
                  "product_id": "jackson-dataformat-csv-2.15.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-properties-2.15.2-1.1.aarch64",
                "product": {
                  "name": "jackson-dataformat-properties-2.15.2-1.1.aarch64",
                  "product_id": "jackson-dataformat-properties-2.15.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-toml-2.15.2-1.1.aarch64",
                "product": {
                  "name": "jackson-dataformat-toml-2.15.2-1.1.aarch64",
                  "product_id": "jackson-dataformat-toml-2.15.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-yaml-2.15.2-1.1.aarch64",
                "product": {
                  "name": "jackson-dataformat-yaml-2.15.2-1.1.aarch64",
                  "product_id": "jackson-dataformat-yaml-2.15.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-2.15.2-1.1.aarch64",
                "product": {
                  "name": "jackson-dataformats-text-2.15.2-1.1.aarch64",
                  "product_id": "jackson-dataformats-text-2.15.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
                "product": {
                  "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
                  "product_id": "jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-dataformat-csv-2.15.2-1.1.ppc64le",
                "product": {
                  "name": "jackson-dataformat-csv-2.15.2-1.1.ppc64le",
                  "product_id": "jackson-dataformat-csv-2.15.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-properties-2.15.2-1.1.ppc64le",
                "product": {
                  "name": "jackson-dataformat-properties-2.15.2-1.1.ppc64le",
                  "product_id": "jackson-dataformat-properties-2.15.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-toml-2.15.2-1.1.ppc64le",
                "product": {
                  "name": "jackson-dataformat-toml-2.15.2-1.1.ppc64le",
                  "product_id": "jackson-dataformat-toml-2.15.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
                "product": {
                  "name": "jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
                  "product_id": "jackson-dataformat-yaml-2.15.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-2.15.2-1.1.ppc64le",
                "product": {
                  "name": "jackson-dataformats-text-2.15.2-1.1.ppc64le",
                  "product_id": "jackson-dataformats-text-2.15.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
                "product": {
                  "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
                  "product_id": "jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-dataformat-csv-2.15.2-1.1.s390x",
                "product": {
                  "name": "jackson-dataformat-csv-2.15.2-1.1.s390x",
                  "product_id": "jackson-dataformat-csv-2.15.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-properties-2.15.2-1.1.s390x",
                "product": {
                  "name": "jackson-dataformat-properties-2.15.2-1.1.s390x",
                  "product_id": "jackson-dataformat-properties-2.15.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-toml-2.15.2-1.1.s390x",
                "product": {
                  "name": "jackson-dataformat-toml-2.15.2-1.1.s390x",
                  "product_id": "jackson-dataformat-toml-2.15.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-yaml-2.15.2-1.1.s390x",
                "product": {
                  "name": "jackson-dataformat-yaml-2.15.2-1.1.s390x",
                  "product_id": "jackson-dataformat-yaml-2.15.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-2.15.2-1.1.s390x",
                "product": {
                  "name": "jackson-dataformats-text-2.15.2-1.1.s390x",
                  "product_id": "jackson-dataformats-text-2.15.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
                "product": {
                  "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
                  "product_id": "jackson-dataformats-text-javadoc-2.15.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-dataformat-csv-2.15.2-1.1.x86_64",
                "product": {
                  "name": "jackson-dataformat-csv-2.15.2-1.1.x86_64",
                  "product_id": "jackson-dataformat-csv-2.15.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-properties-2.15.2-1.1.x86_64",
                "product": {
                  "name": "jackson-dataformat-properties-2.15.2-1.1.x86_64",
                  "product_id": "jackson-dataformat-properties-2.15.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-toml-2.15.2-1.1.x86_64",
                "product": {
                  "name": "jackson-dataformat-toml-2.15.2-1.1.x86_64",
                  "product_id": "jackson-dataformat-toml-2.15.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformat-yaml-2.15.2-1.1.x86_64",
                "product": {
                  "name": "jackson-dataformat-yaml-2.15.2-1.1.x86_64",
                  "product_id": "jackson-dataformat-yaml-2.15.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-2.15.2-1.1.x86_64",
                "product": {
                  "name": "jackson-dataformats-text-2.15.2-1.1.x86_64",
                  "product_id": "jackson-dataformats-text-2.15.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64",
                "product": {
                  "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64",
                  "product_id": "jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-csv-2.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64"
        },
        "product_reference": "jackson-dataformat-csv-2.15.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-csv-2.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le"
        },
        "product_reference": "jackson-dataformat-csv-2.15.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-csv-2.15.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x"
        },
        "product_reference": "jackson-dataformat-csv-2.15.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-csv-2.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64"
        },
        "product_reference": "jackson-dataformat-csv-2.15.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-properties-2.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64"
        },
        "product_reference": "jackson-dataformat-properties-2.15.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-properties-2.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le"
        },
        "product_reference": "jackson-dataformat-properties-2.15.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-properties-2.15.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x"
        },
        "product_reference": "jackson-dataformat-properties-2.15.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-properties-2.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64"
        },
        "product_reference": "jackson-dataformat-properties-2.15.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-toml-2.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64"
        },
        "product_reference": "jackson-dataformat-toml-2.15.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-toml-2.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le"
        },
        "product_reference": "jackson-dataformat-toml-2.15.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-toml-2.15.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x"
        },
        "product_reference": "jackson-dataformat-toml-2.15.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-toml-2.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64"
        },
        "product_reference": "jackson-dataformat-toml-2.15.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-yaml-2.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64"
        },
        "product_reference": "jackson-dataformat-yaml-2.15.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-yaml-2.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le"
        },
        "product_reference": "jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-yaml-2.15.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x"
        },
        "product_reference": "jackson-dataformat-yaml-2.15.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformat-yaml-2.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64"
        },
        "product_reference": "jackson-dataformat-yaml-2.15.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-2.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64"
        },
        "product_reference": "jackson-dataformats-text-2.15.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-2.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le"
        },
        "product_reference": "jackson-dataformats-text-2.15.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-2.15.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x"
        },
        "product_reference": "jackson-dataformats-text-2.15.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-2.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64"
        },
        "product_reference": "jackson-dataformats-text-2.15.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64"
        },
        "product_reference": "jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le"
        },
        "product_reference": "jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x"
        },
        "product_reference": "jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
        },
        "product_reference": "jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-1471",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-1471"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SnakeYaml\u0027s Constructor() class does not restrict types which can be instantiated during deserialization.  Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml\u0027s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-1471",
          "url": "https://www.suse.com/security/cve/CVE-2022-1471"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1205944 for CVE-2022-1471",
          "url": "https://bugzilla.suse.com/1205944"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-1471"
    },
    {
      "cve": "CVE-2023-3894",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-3894"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
          "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-3894",
          "url": "https://www.suse.com/security/cve/CVE-2023-3894"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1214111 for CVE-2023-3894",
          "url": "https://bugzilla.suse.com/1214111"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.s390x",
            "openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-3894"
    }
  ]
}

gsd-2023-3894

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-3894

Aliases

CVE-2023-3894

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-3894",
    "id": "GSD-2023-3894"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-3894"
      ],
      "details": "Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n",
      "id": "GSD-2023-3894",
      "modified": "2023-12-13T01:20:54.769312Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@google.com",
        "ID": "CVE-2023-3894",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": " jackson-dataformats-text",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "2.15.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "FasterXML"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "OSS-Fuzz"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20 Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083",
            "refsource": "MISC",
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083"
          },
          {
            "name": "https://github.com/FasterXML/jackson-dataformats-text/pull/398",
            "refsource": "MISC",
            "url": "https://github.com/FasterXML/jackson-dataformats-text/pull/398"
          },
          {
            "name": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x",
            "refsource": "MISC",
            "url": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fasterxml:jackson-dataformats-text:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.15.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2023-3894"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-787"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083"
            },
            {
              "name": "https://github.com/FasterXML/jackson-dataformats-text/pull/398",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/FasterXML/jackson-dataformats-text/pull/398"
            },
            {
              "name": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-15T19:28Z",
      "publishedDate": "2023-08-08T18:15Z"
    }
  }
}

ghsa-rg2c-cfxv-qp6f

Vulnerability from github

Published

2023-08-08 18:30

Modified

2023-09-06 15:32

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Summary

Denial of service in jackson-dataformats-text

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.dataformat:jackson-dataformats-text"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-09T12:52:21Z",
    "nvd_published_at": "2023-08-08T18:15:24Z",
    "severity": "HIGH"
  },
  "details": "Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n",
  "id": "GHSA-rg2c-cfxv-qp6f",
  "modified": "2023-09-06T15:32:33Z",
  "published": "2023-08-08T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-dataformats-text/pull/398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-dataformats-text/commit/5dd5f740aedcf37adad7ffece460e75e54abb0ed"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-dataformats-text"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service in jackson-dataformats-text"
}

wid-sec-w-2023-2027

Vulnerability from csaf_certbund

Published

2023-08-09 22:00

Modified

2024-06-03 22:00

Summary

FasterXML Jackson: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Jackson ist eine quelloffene Bibliothek zur JSON-Verarbeitung in Java.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in FasterXML Jackson ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Jackson ist eine quelloffene Bibliothek zur JSON-Verarbeitung in Java.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in FasterXML Jackson ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2027 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2027.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2027 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2027"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugzilla \u2013 Bug 2230718 vom 2023-08-09",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2230718"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7156362 vom 2024-06-04",
        "url": "https://www.ibm.com/support/pages/node/7156362"
      }
    ],
    "source_lang": "en-US",
    "title": "FasterXML Jackson: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2024-06-03T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:56:54.064+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2027",
      "initial_release_date": "2023-08-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-08-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-06-03T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cjackson-dataformats-text 2.15",
                "product": {
                  "name": "FasterXML Jackson \u003cjackson-dataformats-text 2.15",
                  "product_id": "T029221"
                }
              }
            ],
            "category": "product_name",
            "name": "Jackson"
          }
        ],
        "category": "vendor",
        "name": "FasterXML"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.7",
                "product": {
                  "name": "IBM Content Manager 8.7",
                  "product_id": "T025981",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:content_manager:8.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Content Manager"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-3894",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in FasterXML Jackson. Dieser Fehler betrifft die Verwendung von jackson-dataformats-text zum Parsen von TOML-Daten. Durch die Bereitstellung bestimmter Inhalte f\u00fcr den Parser kann ein Stapel\u00fcberlauf ausgel\u00f6st werden, der den Parser zum Absturz bringt. Ein Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025981"
        ]
      },
      "release_date": "2023-08-09T22:00:00.000+00:00",
      "title": "CVE-2023-3894"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-3894 (GCVE-0-2023-3894)

Vulnerability from cvelistv5

fkie_cve-2023-3894

Vulnerability from fkie_nvd

opensuse-su-2024:13151-1

Vulnerability from csaf_opensuse

gsd-2023-3894

Vulnerability from gsd

ghsa-rg2c-cfxv-qp6f

Vulnerability from github

wid-sec-w-2023-2027

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature