Vulnerabilities > CVE-2024-21634 - Unspecified vulnerability in Amazon ION

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

amazon

NVD

Published: 2024-01-03

Updated: 2024-11-21

Summary

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Vulnerable Configurations

Part	Description	Count
Application	Amazon Amazon ION - Amazon ION 1.0.0 Amazon ION 1.0.1 Amazon ION 1.0.2 Amazon ION 1.0.3 Amazon ION 1.1.0 Amazon ION 1.1.1 Amazon ION 1.1.2 Amazon ION 1.2.0 Amazon ION 1.3.0 Amazon ION 1.3.1 Amazon ION 1.6.0 Amazon ION 1.6.1 Amazon ION 1.7.0 Amazon ION 1.7.1 Amazon ION 1.8.0 Amazon ION 1.8.1 Amazon ION 1.8.2 Amazon ION 1.8.3 Amazon ION 1.9.0 Amazon ION 1.9.1 Amazon ION 1.9.2 Amazon ION 1.9.3 Amazon ION 1.9.4 Amazon ION 1.9.5 Amazon ION 1.9.6 Amazon ION 1.10.0 Amazon ION 1.10.1 Amazon ION 1.10.2 Amazon ION 1.10.3 Amazon ION 1.10.4	31

Summary

Vulnerable Configurations

References