CVE-2022-40150 : Those using Jettison to parse untrusted XML or JSON data may be vulnerable to De

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

Published 2022-09-16 10:15:10

Updated 2023-07-13 17:24:33

Source Google Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-40150

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Jettison Project » Jettison
Versions up to, including, (<=) 1.4.0
cpe:2.3:a:jettison_project:jettison:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-40150

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 12 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-40150

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	Google Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-40150

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.
Assigned by:
- cve-coordination@google.com (Secondary)
- nvd@nist.gov (Primary)
CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-40150

https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html

[SECURITY] [DLA 3259-1] libjettison-java security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2023/dsa-5312

Debian -- Security Information -- DSA-5312-1 libjettison-java
Third Party Advisory

CVEs referencing this url
https://github.com/jettison-json/jettison/issues/45

New OSS-Fuzz Findings in Jettison · Issue #45 · jettison-json/jettison · GitHub
Issue Tracking;Third Party Advisory

CVEs referencing this url
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549

Sign in - Google Accounts
Issue Tracking;Permissions Required;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-40150

Products affected by CVE-2022-40150

Exploit prediction scoring system (EPSS) score for CVE-2022-40150

CVSS scores for CVE-2022-40150

CWE ids for CVE-2022-40150

References for CVE-2022-40150