CVE-2023-3894
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
The jackson-dataformats-text project is a collection of Jackson modules that provide support for handling various text-based data formats beyond JSON. It builds on Jackson’s core streaming, databinding, and tree model APIs, allowing developers to read and write alternative text formats through a consistent interface. Each format backend extends core Jackson abstractions like JsonFactory, JsonParser, and JsonGenerator, and some also provide ObjectMapper extensions for easier databinding. This makes it possible to work with multiple text formats in a unified way while still benefiting from Jackson’s flexibility and performance.
A Denial of Service (DoS) vulnerability (CVE-2023-3894) has been identified in Jackson Dataformats Text. Deeply nested TOML data can lead to StackOverflowErrors during processing. This issue could be exploited by attackers via specially crafted user input to cause a DoS attack.
Per CISA: A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network. A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible.
Details
Module Info
- Product: Jackson Dataformats Text
- Affected packages: jackson-dataformat-toml
- Affected versions: <2.15.0
- GitHub repository: https://github.com/FasterXML/jackson-dataformats-text
- Published packages: https://central.sonatype.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-toml
- Package manager: Maven
- Fixed In: NES for Jackson v2.13.6
Vulnerability Info
TOML (Tom’s Obvious, Minimal Language) is a human-friendly configuration file format designed to be simple, readable, and unambiguous. It is often used in applications and development tools as a way to define configuration settings in a structured format, similar in purpose to JSON or YAML but with a more minimal syntax. TOML supports hierarchical data through tables and arrays, making it a popular choice for configuration files where clarity and maintainability are important.
A vulnerability was identified in the TOML parser provided by jackson-dataformats-text. When processing user-supplied TOML input, specially crafted content could cause the parser to recurse too deeply, leading to a StackOverflowError. This Exception can be triggered without special permissions or elevated access, potentially allowing an attacker to cause a denial of service (DoS) by exhausting system resources and bringing down applications that rely on the parser.
Mitigation
Only recent versions of Jackson Core are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Jackson Dataformats Text >=2.15.0 and tune the depth limit to match your application’s expected input complexity.
- Avoid parsing untrusted or unauthenticated input and validate or pre-sanitize inputs for abnormal nesting.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
