CVE-2023-4043: Eclipse Parsson Denial of Service vulnerability

November 3, 2023

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.

References

github.com/advisories/GHSA-g8p6-p27c-52fx
github.com/eclipse-ee4j/parsson/pull/100
gitlab.eclipse.org/security/vulnerability-reports/-/issues/13
nvd.nist.gov/vuln/detail/CVE-2023-4043

Code Behaviors & Features

Detect and mitigate CVE-2023-4043 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →