Ion Java StackOverflow vulnerability
CVE-2024-21634

7.5HIGH

Key Information:

Vendor

Amazon-ion

Status
Ion-java
Vendor
CVE Published:
3 January 2024

Badges

đź“° News Worthy

What is CVE-2024-21634?

A potential denial-of-service vulnerability exists in the Amazon Ion library, specifically in versions prior to 1.10.5 of the ion-java implementation. This issue arises when applications attempt to deserialize Ion text encoded data or transform Ion text or binary data into the IonValue model. If an attacker crafts malicious Ion data, loading it into an affected application can trigger a StackOverflowError when specific IonValue methods are invoked. To mitigate this issue, it is crucial to avoid processing data from untrusted sources or data that may have been compromised. Users are strongly advised to upgrade to ion-java version 1.10.5 or later to incorporate the necessary patch.

Affected Version(s)

ion-java < 1.10.5

News Articles

favicon imageiTnews

Atlassian's Bamboo has critical SQL injection vulnerability

Atlassian’s monthly security roll-up includes a patch for a critical SQL injection vulnerability in its Bamboo data centre and server...

References

https://github.com/amazon-ion/ion-java/security/advisorie...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • đź“°

    First article discovered by iTnews

  • Vulnerability published

  • Vulnerability Reserved

JSON
.