[BUILD-1098] Dismiss CVE concerning json-io Created: 20/Jun/23  Updated: 05/Jul/23  Resolved: 30/Jun/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: BOM 5.7.27, BOM 6.2.35
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLCACHE-299 Replace json-io with gson Open
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:
Approved:
Yes

 Description   
[ERROR] json-io-4.14.0.jar: CVE-2023-34610(7.5) 

Awaiting analysis

https://nvd.nist.gov/vuln/detail/CVE-2023-34610

Apparently only used by cache browser app in dx-core 6.2.x

[INFO] |  +- info.magnolia.cache:magnolia-cache-browser-app:jar:5.9.6:compile
[INFO] |  |  \- com.cedarsoftware:json-io:jar:4.14.0:compile

Magnolia is already at the latest json-io version at the moment of writing. Perhaps worth moving to gson there which seems to be more actively maintained? https://github.com/jdereg/json-io 

Update

No reaction from vendor after more than one month. According to https://github.com/jdereg/json-io/issues/169 

Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Magnolia uses the potentially vulnerable API (JsonReader.jsonToJava) at https://git.magnolia-cms.com/projects/MODULES/repos/cache/browse/magnolia-cache-browser-app/src/main/java/info/magnolia/cache/browser/rest/endpoint/CacheEndpoint.java#219.
However, the input can’t be provided by unlogged users and depends on module configuration which only admins can access. Exploiting this seems very unlikely, therefore I would dismiss the CVE.

Alternatively one could replace json-io with gson.


Generated at Sun Feb 11 23:48:07 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.