CVE-2022-40149

MEDIUM6.5EPSS 0.55%

Jettison parser crash by stackoverflow

Published: 9/17/2022Modified: 2/4/2026

Also known as:GHSA-56h3-78gp-v83rCGA-h3v5-5856-885rDEBIAN-CVE-2022-40149DLA-3184-1

Description

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Affected packages (4)

Debian/libjettison-javafrom 0, < 1.5.3-1~deb11u1
Debian/libjettison-javafrom 0, < 1.4.0-1+deb10u1
Debian/libjettison-javafrom 0, < 1.5.3-1~deb11u1
Maven/org.codehaus.jettison:jettisonfrom 0, < 1.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-40149
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-40149
PATCHhttps://github.com/jettison-json/jettison
WEBhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
WEBhttps://github.com/jettison-json/jettison/issues/45
WEBhttps://github.com/jettison-json/jettison/pull/49/files
WEBhttps://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
WEBhttps://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
WEBhttps://www.debian.org/security/2023/dsa-5312