Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability found on twilio inner dependency: org.json:json:20230227 #825

Open
RunageINC opened this issue Dec 18, 2024 · 2 comments
Open

Vulnerability found on twilio inner dependency: org.json:json:20230227 #825

RunageINC opened this issue Dec 18, 2024 · 2 comments

Comments

@RunageINC
Copy link

Issue Summary

Vulnerability found on org.json:json:20230227 for release 10.6.4

Steps to Reproduce

Just by adding the dependency I was already notified by IntelliJ IDE

Vulnerability Summary

A denial of service vulnerability in JSON-Java was discovered by "ClusterFuzz" (https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using "" to escape special characters, including "" itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of "" characters in the escaped string. Severity High - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet. Proof of Concept package orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java. */ public class Bug { private static String makeNested(int depth) { if (depth == 0) { return "{"a":1}"; } return "{"a":1;\t\0" + makeNested(depth - 1) + ":1}"; } public static void main(String[] args) { String input = makeNested(30); System.out.printf("Input string has length %d: %s\n", input.length(), input); JSONObject output = new JSONObject(input); System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output); } } When run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError. Further Analysis The issue is fixed by "this PR" (stleary/JSON-java#759). Timeline Date reported: 07/14/2023 Date fixed: Date disclosed: 10/12/2023

Technical details:

  • twilio-java version: 10.6.4
  • java version: 21
@allantodd
Copy link
Contributor

Duplicate of #821

@manisha1997
Copy link
Contributor

#822
This PR has already addressed the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manisha1997 @RunageINC @allantodd