SCA: security update for org.apache.johnzon:johnzon-mapper (GHSA-crqg-jrpj-fc84)

medium Tenable Cloud Security Plugin ID 414078

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious
attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache
Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow
conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000
(by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20. (CVE-2023-33008)

See Also

https://github.com/advisories/GHSA-crqg-jrpj-fc84

Plugin Details

Severity: Medium

ID: 414078

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2023-33008

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/7/2023

Vulnerability Publication Date: 7/7/2023

Reference Information

CVE: CVE-2023-33008

cwe: CWE-502