CVE-2023-4043: 
Java vulnerability analysis and mitigation

In Eclipse Parsson before versions 1.1.4 and 1.0.5, a vulnerability was discovered related to JSON parsing from untrusted sources. The issue stems from the built-in support for parsing numbers with large scale in Java, where certain edge cases in the input text of a number can lead to unexpectedly large processing times (NVD, Rapid7).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) according to NVD, while Eclipse Foundation rates it at 5.9 (MEDIUM). The issue is categorized under CWE-834 (Excessive Iteration) and CWE-20 (Improper Input Validation). The vulnerability specifically relates to the processing of numbers with large scale values in JSON parsing, where certain numerical inputs can cause the parser to consume excessive processing time (NVD).

The primary impact of this vulnerability is the potential for Denial of Service (DoS) attacks. When processing untrusted source content, the parsing of numbers with large scale values can lead to significantly extended processing times, effectively causing a denial of service condition (Red Hat).

To address this vulnerability, Eclipse Parsson implemented size limits for numbers and their scale in versions 1.1.4 and 1.0.5. Users are advised to upgrade to these or later versions. The fix specifically modifies how the parser handles BigInteger scale limits and includes additional validation for number parsing (GitHub PR).

The vulnerability has been acknowledged and addressed by multiple organizations, including Red Hat, which has released security advisories and patches for affected products such as JBoss Enterprise Application Platform and Apache Camel (Red Hat Advisory).