feat: add the new version and the 10.2 base version

[mbrasil]

@pentaho/millenniumfalcon please review

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[hitachivantarasonarqube]

Analysis Details

0 Issues

• 0 Bugs
• 0 Vulnerabilities
• 0 Code Smells

Coverage and Duplications

• No coverage information (71.40% Estimated after merge)
• No duplication information (0.00% Estimated after merge)

Project ID: pentaho-generic-file-system

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-40150
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45685
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.1]	CVE-2022-40149
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.4]	CVE-2023-1436
High	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.jettison:jettison 1.2	[1.5.2]	CVE-2022-45693
Medium	pentaho:pentaho-platform-extensions:10.2.0.0-SNAPSHOT	org.codehaus.groovy:groovy-all 2.4.8	[2.4.21] [2.5.14] [3.0.7]	CVE-2020-17521

🔬 Research Details

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(JSONTokener x) is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service.

To exploit this issue, the attacker must find an input that propagates to the JSONObject(JSONTokener x) constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service -

String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s);

Remediation:

Development mitigations

This issue can be mitigated by checking the nested depth of the input JSON before passing it to the JSONObject class.

public boolean validateJSON(String jsonString) {
    // Set a maximum depth limit (same limit as in the fix)
    final int MAX_DEPTH = 500; 

    // Initialize a stack to track the current depth
    Stack<Integer> stack = new Stack<>();

    // Iterate through the characters in the string
    for (int i = 0; i < jsonString.length(); i++) {
        char c = jsonString.charAt(i);

        // If we encounter an opening curly brace, increment the depth
        if (c == '{') {
            stack.push(1);
        }
        // If we encounter a closing curly brace, decrement the depth
        else if (c == '}') {
            stack.pop();
        }

        // If the depth exceeds the maximum limit, return false
        if (stack.size() > MAX_DEPTH) {
            return false;
        }
    }

    // If we reach the end of the string and the depth is zero, the JSON is valid
    return stack.isEmpty();
}

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

Description:
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

Description:
Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

Description:
Jettison is a Java library for converting XML to JSON and vice-versa with the help of StAX.

When the JSONObject(Map map) is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service.
The call to JSONArray.put(Map value) can also trigger the vulnerability as it calls the above function.

The attackers must still find an input that propagates either to the JSONObject class as a Map parameter or to JSONArray.put(Map value) function to trigger this vulnerability. The exploit is trivial as it is shown in the PoC -

HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map);

Remediation:

Development mitigations

Wrap the JSONObject constructor with exception handling -

try {
        JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2020-17521 ] org.codehaus.groovy:groovy-all 2.4.8

Description:
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot