Sign In

CVE-2024-21634

ADVISORY - github

Summary

Impact

A potential denial-of-service issue exists in ion-java for applications that use ion-java to:

  • Deserialize Ion text encoded data, or
  • Deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation.

An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.

Impacted versions: <1.10.5

Patches

The patch is included in ion-java >= 1.10.5.

Workarounds

Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust.

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://aws.amazon.com/security/vulnerability-reporting

EPSS Score: 0.0033 (0.553)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-770

Allocation of Resources Without Limits or Throttling

ADVISORY - github

CWE-770

Allocation of Resources Without Limits or Throttling

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-770

Allocation of Resources Without Limits or Throttling

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in