ankeshdave/geotools

CVE-2024-21634 (High) detected in ion-java-1.0.2.jar

Opened this issue · 0 comments

mend-bolt-for-github commented

CVE-2024-21634 - High Severity Vulnerability

Vulnerable Library - ion-java-1.0.2.jar

A Java implementation of the Amazon Ion data notation.

Library home page: https://github.com/amznlabs/ion-java/

Path to dependency file: /geotools/modules/plugin/coverage-multidim/netcdf/pom.xml

Path to vulnerable library: /root/.m2/repository/software/amazon/ion/ion-java/1.0.2/ion-java-1.0.2.jar,/root/.m2/repository/software/amazon/ion/ion-java/1.0.2/ion-java-1.0.2.jar

Dependency Hierarchy:

  • cdm-4.6.11.jar (Root Library)
    • aws-java-sdk-s3-1.11.236.jar
      • aws-java-sdk-core-1.11.236.jar
        • ion-java-1.0.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library. The patch is included in ion-java 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Publish Date: 2024-01-03

URL: CVE-2024-21634

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-264p-99wq-f4j6

Release Date: 2024-01-03

Fix Resolution: com.amazon.ion:ion-java:1.10.5

Step up your Open Source Security Game with Mend here