Search for packages
| purl | pkg:deb/debian/libjson-java@2.4-3.1?distro=trixie |
| Next non-vulnerable version | 3.1.0+dfsg-1 |
| Latest non-vulnerable version | 3.2.0+dfsg-2 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-g6p1-25m8-hyak
Aliases: CVE-2024-47855 GHSA-wwcp-26wc-3fxm |
JSON-lib mishandles an unbalanced comment string util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tp9p-km7u-wbd5
Aliases: CVE-2023-5072 GHSA-4jq9-2xhw-jpx7 |
Java: DoS Vulnerability in JSON-JAVA A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-03T07:28:58.653040+00:00 | Debian Importer | Affected by | VCID-g6p1-25m8-hyak | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:28:58.605248+00:00 | Debian Importer | Affected by | VCID-tp9p-km7u-wbd5 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |