CVE-2013-3300: Lift Sensitive Information Disclosure
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.39732%
CWE
Published
5/17/2022
Updated
8/29/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
net.liftweb:lift-webkit | maven | < 2.5 | 2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how the 'near' method constructs error message snippets. The original implementation used (cur + 1) min Segments.segmentSize directly as the length parameter for String creation, which represents an end-index rather than a length value. When combined with memory segment reuse in the JSON parser, this allowed reading beyond valid data boundaries into residual memory. The patch explicitly calculates length as (end_index - start_index), confirming this was the root cause. The added test case validates that error messages no longer contain excessive data from memory buffers.