CVE-2024-23684

Name of the Vulnerable Software and Affected Versions com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 through 4.5.1

Description The issue is related to inefficient algorithmic complexity in the DecodeFromBytes function, which allows an attacker to cause a denial of service by passing a maliciously crafted input. This may be exploitable by a remote attacker, depending on the application's use of the library. The vulnerability affects CBOR maps or inputs that contain CBOR maps.

Recommendations For versions 4.0.0 through 4.5.0, update to version 4.5.1 or the latest version available, as indicated in the library's repository README. As a temporary workaround, consider checking the input before passing it to a CBOR decoding mechanism to ensure it does not contain a CBOR map, by verifying that it does not start with a byte in the range 0x80 through 0xDF and does not contain a byte in the range 0xa0 through 0xBF.