CVE-2023-5072 - Denial of Service (DoS)
Severity: None2024-02-09
Abstract
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
The Oxygen products incorporate JSON-Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v5.1 and older | None | Oxygen Content Fusion 6.0 build 2023110109 |
Oxygen XML Author v26.0 and older | None | Oxygen XML Author 26.0 build 2023111306 |
Oxygen XML Developer v26.0 and older | None | Oxygen XML Developer 26.0 build 2023111306 |
Oxygen XML Editor v26.0 and older | None | Oxygen XML Editor 26.0 build 2023111306 |
Oxygen License Server v26.0 and older | None | Oxygen License Server v26.1 build 2024031513 |
Oxygen Publishing Engine v26.0 and older | None | Oxygen Publishing Engine 26.0 build 2023110923 |
Oxygen XML Web Author v26.0.0 and older | None | N/A |
Detail
CVE-2023-5072
Severity: High
CVSS Score: 7.5
The JSON-Java third-party library used by Oxygen XML products is an
affected version mentioned in CVE-2023-5072 vulnerability description.
Oxygen XML
products do not parse JSON user input. For that reason, Oxygen XML products are not affected
by this vulnerability.