Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1098

Dismiss CVE concerning json-io

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Neutral
    • None
    • BOM 5.7.27, BOM 6.2.35
    • None
    • Yes

    Description

      [ERROR] json-io-4.14.0.jar: CVE-2023-34610(7.5) 

      Awaiting analysis

      https://nvd.nist.gov/vuln/detail/CVE-2023-34610

      Apparently only used by cache browser app in dx-core 6.2.x

      [INFO] |  +- info.magnolia.cache:magnolia-cache-browser-app:jar:5.9.6:compile
      [INFO] |  |  \- com.cedarsoftware:json-io:jar:4.14.0:compile
      

      Magnolia is already at the latest json-io version at the moment of writing. Perhaps worth moving to gson there which seems to be more actively maintained? https://github.com/jdereg/json-io 

      Update

      No reaction from vendor after more than one month. According to https://github.com/jdereg/json-io/issues/169 

      Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

      Magnolia uses the potentially vulnerable API (JsonReader.jsonToJava) at https://git.magnolia-cms.com/projects/MODULES/repos/cache/browse/magnolia-cache-browser-app/src/main/java/info/magnolia/cache/browser/rest/endpoint/CacheEndpoint.java#219.
      However, the input can’t be provided by unlogged users and depends on module configuration which only admins can access. Exploiting this seems very unlikely, therefore I would dismiss the CVE.

      Alternatively one could replace json-io with gson.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                fgrilli Federico Grilli
                fgrilli Federico Grilli
                Foundation
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started:

                  Checklists

                    Task DoR