POC详情: 57563888af5422503b6d33d1f69707bad2839686

来源
https://github.com/scabench/jsonorg-fn1
关联漏洞
标题: Hutool 缓冲区错误漏洞 (CVE-2022-45688)
描述:Hutool是中国Dromara社区的一个小而全的 Java 工具类库。 Hutool v5.8.10版本存在安全漏洞,该漏洞源于XML.toJSONObject组件中的堆栈溢出,允许攻击者通过精心制作的JSON或XML数据导致拒绝服务(DoS)。
描述
simple application with a CVE-2022-45688 vulnerability
介绍
## json.org CVE-2022-45688 false negative

The project illustrates [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688)  in [json.org](https://mvnrepository.com/artifact/org.json/json/20220924) -- there is a simple application
`XML2JSONConverter` to read XML from input, convert it to JSON and 
pretty-print it to the console. 

Using malicious input, the application crashes with a stackoverflow. 

The test case `CVE202245688Test` illustrates this behaviour, it 
can be executed by running `mvn test`.

### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### False Negative

The SCA report (including the onces set up as GitHub actions) fail  to report [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688), although
the included test clearyly shows that it exists. The reason is that tools based on 
meta-data analysis only (i.e. declared dependencies) dont realise that the project
uses a [shaded version of (a vulnerable version of) json.org](https://mvnrepository.com/artifact/org.json/json/20220924).

Note that shading is done manually, i.e. the Maven shade plugin is not used.
[Our recent research](https://arxiv.org/abs/2306.05534) suggests that this is a common source of sofwtare composition analysis
false negatives.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format. 
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in 
`target/` in `json` and `xml` format.
文件快照

 [4.0K]  /data/pocs/57563888af5422503b6d33d1f69707bad2839686
├── [ 11K]  LICENSE
├── [2.4K]  pom.xml
├── [1.6K]  README.md
├── [ 452]  run-owasp.sh
├── [ 261]  run-snyk.sh
├── [4.0K]  scan-results
│   ├── [4.0K]  dependency-check
│   │   └── [1.4K]  dependency-check-report.json
│   └── [4.0K]  snyk
│       └── [2.6K]  snyk-report.json
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       ├── [4.0K]  scabench
    │       │   └── [ 402]  XML2JSONConverter.java
    │       └── [4.0K]  shaded
    │           └── [4.0K]  org
    │               └── [4.0K]  json
    │                   ├── [9.4K]  CDL.java
    │                   ├── [8.0K]  Cookie.java
    │                   ├── [2.3K]  CookieList.java
    │                   ├── [4.8K]  HTTP.java
    │                   ├── [1.4K]  HTTPTokener.java
    │                   ├── [ 57K]  JSONArray.java
    │                   ├── [1.2K]  JSONException.java
    │                   ├── [ 21K]  JSONML.java
    │                   ├── [ 98K]  JSONObject.java
    │                   ├── [ 558]  JSONPointerException.java
    │                   ├── [ 11K]  JSONPointer.java
    │                   ├── [ 662]  JSONPropertyIgnore.java
    │                   ├── [ 748]  JSONPropertyName.java
    │                   ├── [2.1K]  JSONStringer.java
    │                   ├── [ 762]  JSONString.java
    │                   ├── [ 16K]  JSONTokener.java
    │                   ├── [ 14K]  JSONWriter.java
    │                   ├── [1.9K]  Property.java
    │                   ├── [ 34K]  XML.java
    │                   ├── [ 14K]  XMLParserConfiguration.java
    │                   ├── [ 11K]  XMLTokener.java
    │                   └── [1.2K]  XMLXsiTypeConverter.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  scabench
                └── [ 477]  CVE202245688Test.java

13 directories, 31 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。