ECE Denial of Service (DoS) issue (ESA-2023-09)
A denial of service vulnerability was discovered in ECE that could lead to the ECE Admin API server becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in an unsafe way. Deployments that run on ECE are unaffected.
ECE Versions before 2.13.3 and before 3.3.0
Solutions and Mitigations:
The dependency has been updated which resolves the issue in versions 2.13.3 and 3.3.0
CVSSv3: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2023-1370