[CONJ-1315] Cap numeric-string length before BigDecimal/BigInteger parsing to prevent CPU-exhaustion DoS - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.3.5, 3.4.3, 2.7.14, 3.5.9
Component/s: security
Labels:
None

Description

in case of MITM server sending super long String value for new BigDecimal(String) and new BigInteger(String) result in java parsing the is O(n²) time, possibly resulting in CPU-exhaustion DoS.

Those string size will be limited as 1024 chars.
(The 1024 cap is comfortably above any legitimate value (MariaDB DECIMAL maxes at 65 digits) keeping worst-case parse time sub-millisecond.

Thanks to tonghuaroot for the report.

Attachments

Activity

People

Assignee:: Diego Dupin

Reporter:: Diego Dupin

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2026-06-01 13:37

Updated:: 2026-06-08 09:59

Resolved:: 2026-06-01 13:50

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.