-
Task
-
Resolution: Done
-
Neutral
-
None
-
BOM 5.7.27, BOM 6.2.35
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
[ERROR] json-io-4.14.0.jar: CVE-2023-34610(7.5)
Awaiting analysis
https://nvd.nist.gov/vuln/detail/CVE-2023-34610
Apparently only used by cache browser app in dx-core 6.2.x
[INFO] | +- info.magnolia.cache:magnolia-cache-browser-app:jar:5.9.6:compile [INFO] | | \- com.cedarsoftware:json-io:jar:4.14.0:compile
Magnolia is already at the latest json-io version at the moment of writing. Perhaps worth moving to gson there which seems to be more actively maintained? https://github.com/jdereg/json-io
Update
No reaction from vendor after more than one month. According to https://github.com/jdereg/json-io/issues/169
Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Magnolia uses the potentially vulnerable API (JsonReader.jsonToJava) at https://git.magnolia-cms.com/projects/MODULES/repos/cache/browse/magnolia-cache-browser-app/src/main/java/info/magnolia/cache/browser/rest/endpoint/CacheEndpoint.java#219.
However, the input can’t be provided by unlogged users and depends on module configuration which only admins can access. Exploiting this seems very unlikely, therefore I would dismiss the CVE.
Alternatively one could replace json-io with gson.
- is related to
-
MGNLCACHE-299 Replace json-io with gson
- Open