Allocation of Resources Without Limits or Throttling Affecting com.amazon.ion:ion-java package, versions [,1.10.5)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMAMAZONION-6143590
- published 4 Jan 2024
- disclosed 3 Jan 2024
- credit Unknown
Introduced: 3 Jan 2024
CVE-2024-21634 Open this link in a new tabHow to fix?
Upgrade com.amazon.ion:ion-java to version 1.10.5 or higher.
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the deserialization of Ion text encoded data or the IonValue model processing. An attacker can cause a StackOverflowError by crafting malicious Ion data that triggers excessive resource consumption when loaded or processed. This is only exploitable if the application deserializes Ion data from an untrusted source or data that could have been tampered with.
Notes:
According to the README.md file of this package, its domain changed from software.amazon.ion to com.amazon.ion. Please be aware that this vulnerability affects versions of both domains of this package.
For a fix, please check the advisory on the maintained package.
Workaround
This vulnerability can be mitigated by not loading data from untrusted sources or that could have been tampered with.