Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sqx4-euc2-myew
Vulnerability ID VCID-sqx4-euc2-myew
Aliases CVE-2022-40149
GHSA-56h3-78gp-v83r
Summary Jettison parser crash by stackoverflow Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-121 Stack-based Buffer Overflow
CWE-787 Out-of-bounds Write
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40149.json
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
epss 0.0055 https://api.first.org/data/v1/epss?cve=CVE-2022-40149
cvssv3.1 6.5 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
generic_textual MODERATE https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
ssvc Track https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-56h3-78gp-v83r
cvssv3.1 6.5 https://github.com/jettison-json/jettison
generic_textual MODERATE https://github.com/jettison-json/jettison
cvssv3.1 6.5 https://github.com/jettison-json/jettison/issues/45
generic_textual MODERATE https://github.com/jettison-json/jettison/issues/45
ssvc Track https://github.com/jettison-json/jettison/issues/45
cvssv3.1 6.5 https://github.com/jettison-json/jettison/pull/49/files
generic_textual MODERATE https://github.com/jettison-json/jettison/pull/49/files
cvssv3.1 6.5 https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
generic_textual MODERATE https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
cvssv3.1 6.5 https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-40149
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-40149
cvssv3.1 6.5 https://www.debian.org/security/2023/dsa-5312
generic_textual MODERATE https://www.debian.org/security/2023/dsa-5312
ssvc Track https://www.debian.org/security/2023/dsa-5312
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40149.json
https://api.first.org/data/v1/epss?cve=CVE-2022-40149
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45693
https://github.com/jettison-json/jettison
https://github.com/jettison-json/jettison/issues/45
https://github.com/jettison-json/jettison/pull/49/files
https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
https://www.debian.org/security/2023/dsa-5312
1022554 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022554
2135771 https://bugzilla.redhat.com/show_bug.cgi?id=2135771
CVE-2022-40149 https://nvd.nist.gov/vuln/detail/CVE-2022-40149
GHSA-56h3-78gp-v83r https://github.com/advisories/GHSA-56h3-78gp-v83r
RHSA-2023:0469 https://access.redhat.com/errata/RHSA-2023:0469
RHSA-2023:0544 https://access.redhat.com/errata/RHSA-2023:0544
RHSA-2023:0552 https://access.redhat.com/errata/RHSA-2023:0552
RHSA-2023:0553 https://access.redhat.com/errata/RHSA-2023:0553
RHSA-2023:0554 https://access.redhat.com/errata/RHSA-2023:0554
RHSA-2023:0556 https://access.redhat.com/errata/RHSA-2023:0556
RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610
RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
RHSA-2025:4437 https://access.redhat.com/errata/RHSA-2025:4437
USN-6177-1 https://usn.ubuntu.com/6177-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40149.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:38Z/ Found at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jettison-json/jettison
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jettison-json/jettison/issues/45
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:38Z/ Found at https://github.com/jettison-json/jettison/issues/45
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jettison-json/jettison/pull/49/files
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:38Z/ Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-40149
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://www.debian.org/security/2023/dsa-5312
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:38Z/ Found at https://www.debian.org/security/2023/dsa-5312
Exploit Prediction Scoring System (EPSS)
Percentile 0.67901
EPSS Score 0.0055
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:05:34.419669+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-56h3-78gp-v83r/GHSA-56h3-78gp-v83r.json 38.0.0