The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3373 advisory.
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. (CVE-2021-31684)
Json-smart is a performance focused, JSON processor lib. When reaching a [ or { character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. (CVE-2023-1370)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3373. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(173721);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/19");
script_cve_id("CVE-2021-31684", "CVE-2023-1370");
script_name(english:"Debian DLA-3373-1 : json-smart - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dla-3373 advisory.
- A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3
and 2.4 which causes a denial of service (DOS) via a crafted web request. (CVE-2021-31684)
- [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When
reaching a [ or { character in the JSON input, the code parses an array or an object respectively. It
was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the
parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack
exhaustion (stack overflow) and crash the software. (CVE-2023-1370)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/json-smart");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3373");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-31684");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-1370");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/json-smart");
script_set_attribute(attribute:"solution", value:
"Upgrade the json-smart packages.
For Debian 10 buster, these problems have been fixed in version 2.2-2+deb10u1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31684");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-1370");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/06/01");
script_set_attribute(attribute:"patch_publication_date", value:"2023/03/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/31");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjson-smart-java");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'libjson-smart-java', 'reference': '2.2-2+deb10u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libjson-smart-java');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31684
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1370
bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033474
packages.debian.org/source/buster/json-smart
security-tracker.debian.org/tracker/CVE-2021-31684
security-tracker.debian.org/tracker/CVE-2023-1370
security-tracker.debian.org/tracker/source-package/json-smart
www.debian.org/lts/security/2023/dla-3373