com.upokecenter:cbor@3.0.1 vulnerabilities

latest version

4.5.3
latest non vulnerable version

5.0.0-alpha1
first published

10 years ago
latest version published

5 months ago
licenses detected
- CC0-1.0
  [0.23.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.upokecenter:cbor package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Denial of Service (DoS) com.upokecenter:cbor is a Java implementation of Concise Binary Object Representation. Affected versions of this package are vulnerable to Denial of Service (DoS). The CBOR library supports optional tags that enable CBOR objects to contain references to objects within them. Versions earlier than 4.0 resolved those references automatically. While this by itself doesn't cause much of a security problem, a denial of service can happen if those references are deeply nested and used multiple times (so that the same reference to the same object occurs multiple times), and if the decoded CBOR object is sent to a serialization method such as EncodeToBytes, ToString, or ToJSONString, since the objects referred to are expanded in the process and take up orders of magnitude more memory than if the references weren't resolved. The impact of this problem on any particular system varies. In general, the risk is higher if the system allows users to send arbitrary CBOR objects without authentication, or exposes a remote endpoint in which arbitrary CBOR objects can be sent without authentication. How to fix Denial of Service (DoS)? Upgrade `com.upokecenter:cbor` to version 4.0.0 or higher.	[,4.0.0)

Denial of Service (DoS)

com.upokecenter:cbor is a Java implementation of Concise Binary Object Representation.

Affected versions of this package are vulnerable to Denial of Service (DoS). The CBOR library supports optional tags that enable CBOR objects to contain references to objects within them. Versions earlier than 4.0 resolved those references automatically. While this by itself doesn't cause much of a security problem, a denial of service can happen if those references are deeply nested and used multiple times (so that the same reference to the same object occurs multiple times), and if the decoded CBOR object is sent to a serialization method such as EncodeToBytes, ToString, or ToJSONString, since the objects referred to are expanded in the process and take up orders of magnitude more memory than if the references weren't resolved.

The impact of this problem on any particular system varies. In general, the risk is higher if the system allows users to send arbitrary CBOR objects without authentication, or exposes a remote endpoint in which arbitrary CBOR objects can be sent without authentication.

How to fix Denial of Service (DoS)?

Upgrade com.upokecenter:cbor to version 4.0.0 or higher.

[,4.0.0)

Go back to all versions of this package

com.upokecenter:cbor@3.0.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities