POC详情: fa65f98f92970ac7d7cea1a4378872dff529cb3c

来源
https://github.com/scabench/jsonorg-fp3
关联漏洞
标题: Hutool 缓冲区错误漏洞 (CVE-2022-45688)
描述:Hutool是中国Dromara社区的一个小而全的 Java 工具类库。 Hutool v5.8.10版本存在安全漏洞,该漏洞源于XML.toJSONObject组件中的堆栈溢出,允许攻击者通过精心制作的JSON或XML数据导致拒绝服务(DoS)。
描述
simple application with a (unreachable!) CVE-2022-45688 vulnerability
介绍
## json.org CVE-2022-45688 false positive

The project contains a [json.org](https://mvnrepository.com/artifact/org.json/json/20220924) dependency with [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688).
It does invoke the vulnerable class, but the input data is sanitised (with a simple method of counting `<` characters, therefore estimating the max depth of the DOM tree to be generated, and enforcing a precondition that this must be less than 1000)
and the vulnerability can therefore not be exploited for a DoS attack.

Both metadata-based and callgraph-based software composition analyses will produce a false positive.
To precisely detect whether the application is vulnerable, a more sophisticated 
inter-procedural dataflow / taint analysis is required.

Note that there is a proof-of-vulnerability test to demonstrate the vulnerability, this test (and therefore the build with `mvn test`)
fails. See [https://github.com/scabench/jsonorg-tp1](https://github.com/scabench/jsonorg-tp1) for how the test works.

### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format.
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in
`target/` in `json` and `xml` format.
文件快照

 [4.0K]  /data/pocs/fa65f98f92970ac7d7cea1a4378872dff529cb3c
├── [ 11K]  LICENSE
├── [2.7K]  pom.xml
├── [1.4K]  README.md
├── [ 452]  run-owasp.sh
├── [ 261]  run-snyk.sh
├── [4.0K]  scan-results
│   ├── [4.0K]  dependency-check
│   │   └── [ 13K]  dependency-check-report.json
│   └── [4.0K]  snyk
│       └── [ 11K]  snyk-report.json
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  scabench
    │           └── [ 885]  XML2JSONConverter.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  scabench
                └── [ 473]  CVE202245688Test.java

10 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。