{
  "schema_version": "1.4.0",
  "id": "GHSA-264p-99wq-f4j6",
  "modified": "2024-04-12T17:08:03Z",
  "published": "2024-01-03T22:04:08Z",
  "aliases": [
    "CVE-2024-21634"
  ],
  "summary": "Ion Java StackOverflow vulnerability",
  "details": "### Impact\n\nA potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to:\n\n* Deserialize Ion text encoded data, or\n* Deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation.\n\nAn actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library.\n\nImpacted versions: <1.10.5\n\n### Patches\n\nThe patch is included in `ion-java` >= 1.10.5.\n\n### Workarounds\n\nDo not load data which originated from an untrusted source or that could have been tampered with. **Only load data you trust.**\n\n----\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n[1] https://aws.amazon.com/security/vulnerability-reporting",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.amazon.ion:ion-java"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.5"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "software.amazon.ion:ion-java"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "< 1.10.5"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/amazon-ion/ion-java"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-03T22:04:08Z",
    "nvd_published_at": "2024-01-03T23:15:08Z"
  }
}