CVE-2021-31684

HIGH

Json-smart-v1 < 1.3.3 - Out-of-Bounds Write

Title source: rule

Description

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.

Exploits (2)

nomisec WRITEUP

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2021-31684-json-smart-v2-vulnerable

View Code ZIP pw:eip

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2021-31684-json-smart-v2-vulnerable

View Code ZIP pw:eip

References (8)

[Issue Tracking, Third Party Advisory] https://github.com/netplex/json-smart-v1/issues/10

[Patch, Third Party Advisory] https://github.com/netplex/json-smart-v1/pull/11

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/netplex/json-smart-v2/issues/67

[Patch, Third Party Advisory] https://github.com/netplex/json-smart-v2/pull/68

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Vendor Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240621-0006/

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-787

Status published

Products (6)

json-smart_project/json-smart-v1 1.3 - 1.3.3

json-smart_project/json-smart-v2 2.4 - 2.4.4

net.minidev/json-smart 1.3.0 - 1.3.3Maven

oracle/utilities_framework 4.4.0.0.0

oracle/utilities_framework 4.4.0.2.0

oracle/utilities_framework 4.4.0.3.0

Published Jun 01, 2021

Tracked Since Feb 18, 2026