Skip to content

Fix CVE-2023-1436 Jettison vulnerability

Security Vulnerabilities –

How to remove HIGH security vulnerability CVE-2023-1436

Environment –

All the applications using jettison as third party library.

Root cause –

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

Vulnerability Details –

NVD statusNVD url
7.5 HIGHCVE-2023-1436

Solution –

Jettison is used to convert XML to JSON and JSON to XML. All the versions below 1.5.4 is affected with this vulnerability. You need to upgrade org.codehaus.jettison.jettison to atleast 1.5.4

As of writing (December 4, 2023) 1.5.4 is the latest version available for jettison released on March 14, 2023. However, you can check latest version here.

Maven –

<dependency>
    <groupId>org.codehaus.jettison</groupId>
    <artifactId>jettison</artifactId>
    <version>1.5.4</version>
</dependency>

Gradle –

dependencies {
implementation 'org.codehaus.jettison:jettison:1.5.4'
}

Do you have another solution?

The solution provided above is based on the scenario our one of the developers/contributors faced. If you faced the same issue and found any other root cause then please share your solution in the comment section below. We will add the solution in this article.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *