Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uncaught Exception in Parser #60

Closed
GanbaruTobi opened this issue Feb 22, 2021 · 8 comments
Closed

Uncaught Exception in Parser #60

GanbaruTobi opened this issue Feb 22, 2021 · 8 comments
Labels
duplicate

Comments

@GanbaruTobi
Copy link

GanbaruTobi commented Feb 22, 2021
edited
Loading

The parser fails to throw the ParseException when the parser expects the input to be of the float number type AND the input not being a valid number. This can lead to uncaught exceptions by unexpected input, which may lead to Denial-of-Service (DoS).

json-smart-v2/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java

Lines 139 to 147 in 4402bae

protected Number extractFloat() throws ParseException {
if (!acceptLeadinZero)
checkLeadinZero();
if (!useHiPrecisionFloat)
return Float.parseFloat(xs);
if (xs.length() > 18) // follow JSonIJ parsing method
return new BigDecimal(xs);
return Double.parseDouble(xs);
}

Parser Input of "-." or "2e+" or "[45e-" will crash with a NumberFormatException.

== Java Exception: java.lang.NumberFormatException: For input string: "-."
	at java.base/jdk.internal.math.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:2054)
	at java.base/jdk.internal.math.FloatingDecimal.parseDouble(FloatingDecimal.java:110)
	at java.base/java.lang.Double.parseDouble(Double.java:549)
	at net.minidev.json.parser.JSONParserBase.extractFloat(JSONParserBase.java:141)
This was referenced Feb 23, 2021
Closed
Merged
@pronovic
Copy link

Note that this is tied to CVE-2021-27568, categorized as base score 9.1 (critical).

@UrielCh UrielCh added duplicate in progress a fix is in progresse. and removed in progress a fix is in progresse. labels Apr 1, 2021
@UrielCh
Copy link
Contributor

UrielCh commented Apr 4, 2021

CVE-2021-27568 is now fully fixed in

  • json-smart(v2) for java 1.8 +
  • json-smart(v1) for java 1.6 +
  • json-smart-mini for java 1.6 +

@UrielCh UrielCh closed this as completed Apr 4, 2021
@ounsworth
Copy link

Can someone explain why this was given a base score of 9.1?
That seems excessively alarmist given that the invalid input is detected and an exception thrown ...

@UrielCh
Copy link
Contributor

UrielCh commented Apr 9, 2021

I think that the issue was more about the vanilla java exception, I think it can disclose the java virtual machine type.

I do not know how they measure the score.

@GanbaruTobi
Copy link
Author

The score was created on MITREs side. I don't know how they calculated it.

@ounsworth
Copy link

ounsworth commented Apr 10, 2021
edited
Loading

Ok, I dug a bit. MITRE rated it like this:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector: None, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: None, Availability: High.

I would have scored it the same except for Confidentiality: High. I guess that's because of the potential for a stack trace getting returned to the end user? But this bug does not guarantee that a stack trace is returned to the user, for that the library would have to be used by an application returns unexpected stack traces to the user in a 500 body, which well-behaved apps should not be doing anyways. If that understanding is correct, I would have called this Confidentiality: Low or None, which would have given a Base Score of 8.2 or 7.5 respectively -- which are out of the Critical range.

There may also be wiggle-room on Availability: High. This bug does not guarantee that the application crashes; that would only be the case if the calling application does not have a generic catch (Exception e) anywhere in the call stack and this NumberFormatException gets all the way back to the JRE, which again is probably uncommon in well-behaved apps that parse user input. Availability: Low might be a better rating?

I'm making a fuss because 9.0 - 10.0 is Critical, and having those show up can trigger emergency patching policies or delays to release schedules. Is it possible to ask MITRE to re-evaluate the scoring of this issue?

@GanbaruTobi
Copy link
Author

GanbaruTobi commented Apr 10, 2021 via email

@pcy190 pcy190 mentioned this issue Apr 23, 2021
Closed
@dpeger dpeger mentioned this issue Apr 23, 2021
Merged
@dpeger
Copy link
Contributor

dpeger commented Apr 26, 2021
edited
Loading

@GanbaruTobi out of curiosity: Would you consider this issue fixed if NumberFormatException was declared in the throws-clause of extractFloat():

protected Number extractFloat() throws ParseException, NumberFormatException {
   ...
}

And the corresponding public methods that use extractFloat().

UrielCh added a commit that referenced this issue Apr 30, 2021
@UrielCh
Merge pull request #72 from dpeger/fixes/v2.3/parse-numberformatexcep…
7304d1e 
…tion

[#60][#62] Unchecked Exception in Parser
@StephenWikeTBCT StephenWikeTBCT mentioned this issue May 5, 2021
Closed
This was referenced May 17, 2021
Closed
Closed
Closed
@AASMACMX AASMACMX mentioned this issue Mar 7, 2023
Open
@AASMACMX AASMACMX mentioned this issue Jul 10, 2023
Open
@AASMACMX AASMACMX mentioned this issue Jul 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ounsworth @UrielCh @dpeger @pronovic @GanbaruTobi