CVE-2023-5072 - Vulnerability with hawtio #2958

sasikumar-ms7 · 2023-10-17T21:06:01Z

New vulnerability CVE-2023-5072 is identified with latest stable version of hawtio 2.17.6. This vulnerability is from org.json:json-20230227. Please upgrade to json:20231013 to fix this vulnerability.

Error details as follows
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

tadayosi · 2023-10-27T08:36:06Z

@mmelko Could you have a look?

jbertram · 2023-10-31T16:22:41Z

Any update on this? I'm looking to get this fixed in ActiveMQ Artemis.

mmelko · 2023-11-06T14:00:17Z

3.x: #2972
4.x: #2971
main: #2970

jbertram · 2023-11-06T16:54:52Z

ActiveMQ Artemis is currently using 2.17.6. Will there be a 2.17.7 release with this fix?

tadayosi · 2023-11-07T05:09:40Z

@jbertram Releasing 2.17.7 soon.

tadayosi assigned mmelko Oct 27, 2023

tadayosi linked a pull request Nov 7, 2023 that will close this issue

chore: update org.json to 20231013 #2972

Merged

tadayosi closed this as completed Nov 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-5072 - Vulnerability with hawtio #2958

CVE-2023-5072 - Vulnerability with hawtio #2958

sasikumar-ms7 commented Oct 17, 2023 •

edited

tadayosi commented Oct 27, 2023

jbertram commented Oct 31, 2023

mmelko commented Nov 6, 2023

jbertram commented Nov 6, 2023

tadayosi commented Nov 7, 2023

CVE-2023-5072 - Vulnerability with hawtio #2958

CVE-2023-5072 - Vulnerability with hawtio #2958

Comments

sasikumar-ms7 commented Oct 17, 2023 • edited

tadayosi commented Oct 27, 2023

jbertram commented Oct 31, 2023

mmelko commented Nov 6, 2023

jbertram commented Nov 6, 2023

tadayosi commented Nov 7, 2023

sasikumar-ms7 commented Oct 17, 2023 •

edited