Miggo Logo
Miggo Vulnerability Database
CVE-2023-34617

CVE-2023-34617: genson vulnerable to stack exhaustion

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34617
GHSA ID
GHSA-fj64-qprx-q7vq
EPSS Score
0.19971%
CWE
CWE-400
Published
6/14/2023
Updated
11/4/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.owlike:gensonmaven<= 1.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The stack trace in the GitHub issue shows recursive calls between JsonReader.beginArray and CollectionConverter.deserialize during nested structure parsing. Both functions lack depth-limiting mechanisms, enabling attackers to craft JSON with excessive nesting depth. This matches CWE-400 (uncontrolled resource consumption) and aligns with fixes in similar libraries like Jackson/GSON that replaced recursion with iteration or added depth tracking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** **nson t*rou** *.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** or ot**r unsp**i*i** imp**ts vi* *r**t** o*j**ts t**t ***ply n*st** stru*tur*s.

Reasoning

T** st**k tr*** in t** *it*u* issu* s*ows r**ursiv* **lls **tw**n `JsonR****r.***in*rr*y` *n* `*oll**tion*onv*rt*r.**s*ri*liz*` *urin* n*st** stru*tur* p*rsin*. *ot* *un*tions l**k **pt*-limitin* m****nisms, *n**lin* *tt**k*rs to *r**t JSON wit* *x**