Bug 13253

Summary:	[CVE 21] jettison 1.3.7 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	RESOLVED WONTFIX	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	m.novosyolov, s.matveev, y.tumanov
Version:	All	Flags:	y.tumanov: secteam_verified+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2022-45685, CVE-2022-45693, CVE-2023-1436,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-05-02 16:37:55 MSK

Please patch CVEs for package jettison version 1.3.7  
INFO (CVEs are): jettison 1.3.7 cves found
CVE-2022-45685
Desc: A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-45685
Severity: HIGH
CVE-2022-45693
Desc: Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-45693
Severity: HIGH
CVE-2023-1436
Desc: An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-1436
Severity: HIGH