CVE-2023-1370

Name	CVE-2023-1370
Description	[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3373-1
Debian Bugs	1033474

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
json-smart (PTS)	stretch	2.2-1	vulnerable
	buster (security), buster, buster (lts)	2.2-2+deb10u1	fixed
	bullseye	2.2-2+deb11u1	fixed
	bookworm	2.2-2+deb12u1	fixed
	sid, trixie	2.2-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
json-smart	source	stretch	(unfixed)	end-of-life
json-smart	source	buster	2.2-2+deb10u1		DLA-3373-1
json-smart	source	bullseye	2.2-2+deb11u1
json-smart	source	bookworm	2.2-2+deb12u1
json-smart	source	(unstable)	2.2-3			1033474

Notes

https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a (2.4.9)