Dear Maintainer,On Fri, 13 Oct 2023 15:26:55 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <j...@inutil.org> wrote:
> Source: jenkins-json > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for jenkins-json. > > CVE-2023-5072[0]: > | Denial of Service in JSON-Java versions up to and including > | 20230618. A bug in the parser means that an input string of modest > | size can lead to indefinite amounts of memory being used. > > https://github.com/stleary/JSON-java/issues/758 > https://github.com/stleary/JSON-java/issues/771 > https://github.com/stleary/JSON-java/pull/772/ > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-5072 > https://www.cve.org/CVERecord?id=CVE-2023-5072 > > Please adjust the affected versions in the BTS as needed. > >
For the record:
https://www.jenkins.io/security/advisory/2023-12-13/
indicates that jenkins-json should be unaffected by the CVE, but I am
skeptical as it obviously embeds code from json-java. But I have not
found how to ask this simply.
One should try to see how jenkins-json behaves according to the problematic test cases committed in https://github.com/stleary/JSON-java/commit/dbb113176b143b519ad0a50b033a9997cc2248fe (20231013) https://github.com/stleary/JSON-java/commit/16967f322ee65c301b48fa79bb681e38896fd212 (20231013) https://github.com/stleary/JSON-java/commit/661114c50dcfd53bb041aab66f14bb91e0a87c8a (20231013)
to examine if it is vulnerable. Best, -- Pierre
OpenPGP_signature.asc
Description: OpenPGP digital signature
