-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack Overflow (Criteria.parse) #973
Comments
This seems to have recieved a CVE assigned: CVE-2023-51074 |
@kallestenflo owasp dependency check flags this as a HIGH severity, any chance for a fix? |
While I'm personally not certain whether a JsonPath.read("[]","@[\"\",/\\") // no optional third argument with a filter predicate
JsonPath.compile("@[\"\",/\\") So you would be affected by this CVE as long as you parse JSON paths from user inputs in any way. |
Hi. Our Analysis tools started rejecting our releases due to this vulnerability. Will it be fixed? |
is this really CVE? @kallestenflo you can dispute it on CVE DB just to be aware that @PoppingSnack reports very disputable CVEs see his activity https://github.com/PoppingSnack?tab=overview&from=2023-11-01&to=2023-11-30 |
I believe the CVE is in principle valid because iff you parsed a user-supplied JSON paths you will run into the issue. I seriously challenge the CVSS score, though. Any sane request handling framework will handle every request in a dedicated thread. Therefore the bug will only terminate this thread and no other requests will be impacted. Therefore the Availability Impact is at most "Low" leading to a CVSS of 5.3. I'm even arguing that it's "None" leading to a CVSS of 0. |
I am considering disputing it. It is a high vulnerability because of its high availability impact, which is defined as
I guess it would come down to that 'Alternatively...'. I guess if this function were exposed to the internet it could conceivably introduce a lot of long-running requests which hog memory. We might need evidence to show that this could not happen. |
Java has a default thread stack size of 2MB. The stack overflow happens within less than 10ms. Therefore I highly doubt that you can do anything harmful with it. |
I agree with @sithmein here. You only get to a HIGH impact if the web server handling the request is using some toy/bespoke HTTP server implementation that runs everything in a single thread. And maybe not even then. Java's threading model uses a static amount of stack memory per thread, which means the memory consumption of N requests is the same regardless of whether the request is legitimate or not. Therefore, any memory exhaustion issues would be triggered by any spike in traffic and the bug has no impact on this. Thread exhaustion? Unlike a regex attack (where a user-specified pattern might generate effectively-infinite matches and spike CPU usage), this is just a recursion bug and @sithmein reports it takes a tiny amount of time to trigger--probably faster than an actual legitimate request would take. So, in truth, this is just a bug and should not be a CVE. |
Does this CVE/bug also affects json-path version older than 2.8.0, say 2.7.0? |
Yes, 2.7.0 also produces a stack overflow for |
The problem seems to be that indexOfNextSignificantChar returns I think this might be the rootcause but I'll investigate further. |
FYI in #985 I'll show a simple fix for this. |
Hi, can someone from the maintainers confirm this is a valid or invalid CVE? |
Sorry, I have not had time to have a closer look, but @twobiers' PR seems to fix this. |
Perhaps this is a good opportunity to remove these deprecated methods? As far as I can tell, they were deprecated 9 years ago |
Can someone clarify if json-path 2.7.0 is also affected? |
@ashirvadgupta Yes, see #973 (comment). You can verify it yourself by just running the code in the linked comment. |
I fail to understand why there is even a CVE against this. People should develop a hobby or go for a walk instead of seeking CVEs every day and minute. |
Stack Overflow (Criteria.parse)
Description
A stack overflow vulnerability exists in the Criteria.parse method in json-path 2.8.0. Specially crafted input can cause uncontrolled recursion, resulting in stack overflow.
Error Log
PoC
The text was updated successfully, but these errors were encountered: