CVE-2023-33008: 
Java vulnerability analysis and mitigation

A deserialization of untrusted data vulnerability was discovered in Apache Johnzon (CVE-2023-33008). The vulnerability affects Apache Johnzon versions through 1.2.20. The issue allows malicious attackers to craft JSON input using extremely large numbers (such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal, potentially resulting in slow conversion operations and leading to denial of service conditions (NVD).

The vulnerability is classified as a Deserialization of Untrusted Data (CWE-502) issue. It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability stems from Apache Johnzon's handling of large numbers during JSON deserialization, where processing extremely large scale values in BigDecimal conversions can lead to performance issues (NVD).

The primary impact of this vulnerability is the potential for denial of service conditions. When exploited, the vulnerability can cause slow conversion operations during the processing of specially crafted JSON input, potentially affecting system performance and availability (Red Hat).

Apache Johnzon 1.2.21 addresses this vulnerability by implementing a scale limit of 1000 (by default) for BigDecimal conversions. Users are advised to upgrade to this version or later to mitigate the risk (NVD).