feat:

[AUK4GIT]

Feature Request

Description

Vulnerability: Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 

Vulnerable Package

org.json/json:20230618

Location

• File: node_modules/@capacitor/android/capacitor/build.gradle

Links

• GHSA-rm7j-f5g5-27vv
• stleary/JSON-java@60662e2
• Confusion between \0 and EOF can lead to OutOfMemoryError stleary/JSON-java#758
• Logic to exclude object keys that are themselves objects is imperfect stleary/JSON-java#771
• https://nvd.nist.gov/vuln/detail/CVE-2023-5072

Identifiers

• CVE-2023-5072
• Gemnasium-8861eff2-d70b-414e-8e15-c43efed9de6e
• GHSA-rm7j-f5g5-27vvLocation File: node_modules/@capacitor/android/capacitor/build.gradle

Links

• GHSA-rm7j-f5g5-27vv

• stleary/JSON-java@60662e2

• Confusion between \0 and EOF can lead to OutOfMemoryError stleary/JSON-java#758

• Logic to exclude object keys that are themselves objects is imperfect stleary/JSON-java#771

• https://nvd.nist.gov/vuln/detail/CVE-2023-5072

Identifiers

• CVE-2023-5072

• Gemnasium-8861eff2-d70b-414e-8e15-c43efed9de6e

• GHSA-rm7j-f5g5-27vv

Platform(s)

Android

Preferred Solution

Upgrade to version 20231013 or above.
File location:- capacitor/android/capacitor/build.gradle

Need a fix in capacitor@4 as well

Alternatives

Additional Context

[jcesarmobile]

Note that it's a testImplementation dependency, so it doesn't affect user apps, it's only used for running capacitor tests, in which the json files are provided by us, so there is no vector of attack.

[ionitron-bot]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.