com.mikesamuel:json-sanitizer versions < 1.2.2 vulnerable.

417 views
Skip to first unread message

Mike Samuel

unread,
Jan 12, 2021, 5:29:26 PMJan 12
to json-sanitizer-support
This is a vulnerability disclosure.  Please update to

    com.mikesamuel:json-sanitizer:1.2.2

available at https://search.maven.org/artifact/com.mikesamuel/json-sanitizer/1.2.2/jar

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and
CDATA section delimiters for crafted input. This allows an
attacker to inject arbitrary HTML or XML into embedding documents.

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an
undeclared exception for crafted input. This may lead to
denial of service if the application is not prepared to handle these
situations.

CVE-2021-23899. CVE-2021-23900
Reply all
Reply to author
Forward
0 new messages