CVE-2023-33008

Name of the Vulnerable Software and Affected Versions Apache Johnzon versions 1.2.0 through 1.2.20

Description A malicious attacker can craft JSON input that uses large numbers, such as 1e20000000, which Apache Johnzon will deserialize into BigDecimal. This may result in a slow conversion, posing a denial of service risk. The issue is related to the deserialization of untrusted data and can be exploited by a remote attacker to cause a denial of service.

Recommendations For Apache Johnzon versions 1.2.0 through 1.2.20, update to Apache Johnzon 1.2.21, which mitigates this issue by setting a scale limit of 1000 to the BigDecimal by default. As a temporary workaround, consider restricting the use of large numbers in JSON input to minimize the risk of exploitation.