CVE-2023-5072: 
Java vulnerability analysis and mitigation

CVE-2023-5072 affects JSON-Java versions up to and including 20230618. The vulnerability is a Denial of Service (DoS) issue where a bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used (NVD, Debian Tracker).

The vulnerability stems from a confusion between \0 and EOF in JSONTokener.next(). The method uses a 0 return to indicate EOF, but 0 is also returned when an actual \0 character is read. In certain circumstances, this can be used to circumvent parser checks, potentially leading to OutOfMemoryError even with relatively small input strings (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can cause a Denial of Service (DoS) condition through excessive memory consumption. An attacker can craft a JSON document that, when parsed, leads to indefinite amounts of memory being used, potentially causing the application to become unresponsive or crash (NVD, GitHub Issue).

Users should upgrade to a version of JSON-Java newer than 20230618. The vulnerability has been fixed in subsequent releases. For systems that cannot be immediately updated, it is recommended to implement input validation and limit the size of JSON documents being processed (NVD).