CVE-2024-21634
CVSS V2 None
CVSS V3 None
Description
Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.
Overview
- CVE ID
- CVE-2024-21634
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-01-03T22:46:03.585Z
- Last Modified Date
- 2024-01-03T22:46:03.585Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6 | x_refsource_CONFIRM |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-21634 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21634 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 15:30:49 | Added to TrackCVE |