Miggo Logo
Miggo Vulnerability Database
CVE-2023-34620

CVE-2023-34620: hjson stack exhaustion vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34620
GHSA ID
GHSA-5wfc-hjrc-gq87
EPSS Score
0.32735%
CWE
CWE-400
Published
6/14/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.hjson:hjsonmaven<= 3.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The stack trace in the PoC shows recursive calls between readObject and readValue methods during parsing. This indicates a recursive descent parser implementation without depth limiting mechanisms. The vulnerability manifests when processing cyclic/overly nested structures through these recursive calls, eventually exhausting the stack. The correlation with CWE-400 (uncontrolled resource consumption) and the provided PoC demonstrating stack overflow confirm this analysis. Similar vulnerabilities in other JSON parsers (Jackson/GSON) were resolved by adding depth tracking or iterative parsing, further supporting this conclusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** *json t*rou** *.*.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** or ot**r unsp**i*i** imp**ts vi* *r**t** o*j**ts t**t ***ply n*st** stru*tur*s.

Reasoning

T** st**k tr*** in t** Po* s*ows r**ursiv* **lls **tw**n `r***O*j**t` *n* `r***V*lu*` m*t*o*s *urin* p*rsin*. T*is in*i**t*s * r**ursiv* **s**nt p*rs*r impl*m*nt*tion wit*out **pt* limitin* m****nisms. T** vuln*r**ility m*ni**sts w**n pro**ssin* *y*l