Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-45688: A stack overflow in the XML.toJSONObject component #1968

Closed
AlaaAttya opened this issue Jan 31, 2023 · 5 comments
Closed

CVE-2022-45688: A stack overflow in the XML.toJSONObject component #1968

AlaaAttya opened this issue Jan 31, 2023 · 5 comments
Assignees
@Neenu1995
Labels
api: bigquerystorage Issues related to the googleapis/java-bigquerystorage API.

Comments

@AlaaAttya
Copy link

There's a CVE raised for org.json:json:jar:20220924:compile
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45688
@product-auto-label product-auto-label bot added the api: bigquery Issues related to the BigQuery API. label Jan 31, 2023
@Neenu1995 Neenu1995 self-assigned this Jan 31, 2023
@Neenu1995
Copy link
Contributor

Thanks for reporting this @AlaaAttya

@Neenu1995 Neenu1995 transferred this issue from googleapis/java-bigquery Feb 1, 2023
@product-auto-label product-auto-label bot added api: bigquerystorage Issues related to the googleapis/java-bigquerystorage API. and removed api: bigquery Issues related to the BigQuery API. labels Feb 1, 2023
@Neenu1995 Neenu1995 reopened this Feb 1, 2023
@suztomo
Copy link
Member

suztomo commented Feb 1, 2023
edited
Loading

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

I don't see "org.json:json" in the link. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45688 Is hutool-json related to "org.json:json"?

@Neenu1995
Copy link
Contributor

It mentions stleary/JSON-java#708

@suztomo
Copy link
Member

suztomo commented Feb 2, 2023
edited
Loading

https://github.com/stleary/JSON-java/blob/master/pom.xml is org.json:json. Thank you.

image

@Neenu1995
Copy link
Contributor

java-bigquerystorage don't use XML.toJSONObject. Closing this because the CVE doesn't affect Bigquery Storage library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Neenu1995 Neenu1995

Labels
api: bigquerystorage Issues related to the googleapis/java-bigquerystorage API.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@suztomo @AlaaAttya @Neenu1995