CVE-2021-42836: 
CBL Mariner vulnerability analysis and mitigation

GJSON before version 1.9.3 contains a vulnerability that allows a Regular Expression Denial of Service (ReDoS) attack. The vulnerability was discovered and disclosed in October 2021, affecting all versions of the GJSON library prior to 1.9.3. GJSON is a Go package that provides functionality for parsing and querying JSON (NVD).

The vulnerability is classified as an Uncontrolled Resource Consumption (CWE-400) issue. It has received a CVSS v3.1 base score of 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability stems from the way GJSON handles pattern matching in 'like' queries, where crafted JSON input could trigger excessive processing time in the regular expression engine (NVD).

When exploited, this vulnerability can lead to Denial of Service conditions by consuming excessive CPU resources through crafted JSON input patterns. The attack specifically targets the pattern matching functionality, potentially making the service unresponsive (NVD).

The vulnerability was patched in GJSON version 1.9.3 by implementing a complexity limit on pattern matching operations. The fix introduces a MatchLimit function that restricts the complexity of input patterns to prevent ReDoS attacks. Users are advised to upgrade to version 1.9.3 or later (GitHub Commit).