VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tp9p-km7u-wbd5

Essentials
Severities (38)
References (22)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tp9p-km7u-wbd5
Aliases	CVE-2023-5072 GHSA-4jq9-2xhw-jpx7
Summary	Java: DoS Vulnerability in JSON-JAVA A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-358	Improperly Implemented Security Check for Standard
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-770	Allocation of Resources Without Limits or Throttling

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5072.json
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00741	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
epss	0.00823	https://api.first.org/data/v1/epss?cve=CVE-2023-5072
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-4jq9-2xhw-jpx7
cvssv3.1	7.5	https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7
cvssv3.1_qr	HIGH	https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7
generic_textual	HIGH	https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7
cvssv3.1	7.5	https://github.com/stleary/JSON-java
generic_textual	HIGH	https://github.com/stleary/JSON-java
cvssv3.1	7.5	https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb
generic_textual	HIGH	https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb
cvssv3.1	7.5	https://github.com/stleary/JSON-java/issues/758
generic_textual	HIGH	https://github.com/stleary/JSON-java/issues/758
ssvc	Track	https://github.com/stleary/JSON-java/issues/758
cvssv3.1	7.5	https://github.com/stleary/JSON-java/issues/771
generic_textual	HIGH	https://github.com/stleary/JSON-java/issues/771
ssvc	Track	https://github.com/stleary/JSON-java/issues/771
cvssv3.1	7.5	https://github.com/stleary/JSON-java/pull/759
generic_textual	HIGH	https://github.com/stleary/JSON-java/pull/759
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-5072
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-5072
cvssv3.1	7.5	https://security.netapp.com/advisory/ntap-20240621-0007/
ssvc	Track	https://security.netapp.com/advisory/ntap-20240621-0007/
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2023/12/13/4
ssvc	Track	http://www.openwall.com/lists/oss-security/2023/12/13/4

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5072.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-5072
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072
		https://github.com/stleary/JSON-java
		https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb
		https://github.com/stleary/JSON-java/issues/758
		https://github.com/stleary/JSON-java/issues/771
		https://github.com/stleary/JSON-java/pull/759
1053882		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053882
1053883		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053883
1053884		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053884
2246417		https://bugzilla.redhat.com/show_bug.cgi?id=2246417
CVE-2023-5072		https://nvd.nist.gov/vuln/detail/CVE-2023-5072
GHSA-4jq9-2xhw-jpx7		https://github.com/advisories/GHSA-4jq9-2xhw-jpx7
GHSA-4jq9-2xhw-jpx7		https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7
ntap-20240621-0007		https://security.netapp.com/advisory/ntap-20240621-0007/
RHSA-2023:7617		https://access.redhat.com/errata/RHSA-2023:7617
RHSA-2023:7678		https://access.redhat.com/errata/RHSA-2023:7678
RHSA-2023:7842		https://access.redhat.com/errata/RHSA-2023:7842
RHSA-2023:7845		https://access.redhat.com/errata/RHSA-2023:7845
RHSA-2024:0148		https://access.redhat.com/errata/RHSA-2024:0148
RHSA-2024:4271		https://access.redhat.com/errata/RHSA-2024:4271

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5072.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/stleary/JSON-java

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/stleary/JSON-java/issues/758

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-21T16:23:55Z/ Found at https://github.com/stleary/JSON-java/issues/758

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/stleary/JSON-java/issues/771

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-21T16:23:55Z/ Found at https://github.com/stleary/JSON-java/issues/771

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/stleary/JSON-java/pull/759

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-5072

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20240621-0007/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-21T16:23:55Z/ Found at https://security.netapp.com/advisory/ntap-20240621-0007/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2023/12/13/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-21T16:23:55Z/ Found at http://www.openwall.com/lists/oss-security/2023/12/13/4

Exploit Prediction Scoring System (EPSS)

Percentile	0.72892
EPSS Score	0.00741
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:06.886908+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.json/json/CVE-2023-5072.yml	38.0.0