CVE-2021-23899

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23899

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23899.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-23899

Aliases

GHSA-mm8j-9x84-m9cv

Published

2021-01-13T16:15:14Z

Modified

2025-09-19T12:38:25.657093Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

References

Affected packages

Git / github.com/owasp/json-sanitizer

Affected ranges

Type: GIT
Repo: https://github.com/owasp/json-sanitizer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

Affected versions

json-sanitizer-1.*

json-sanitizer-1.0

json-sanitizer-1.1

release-1.*

release-1.2.0

v1.*

v1.2.1

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "323372626607349166269134064051460937550",
                    "281540624948202154016147908277489889112",
                    "10422161611163388661781270418470123039",
                    "293625421098164197743335124240358941919",
                    "50888934875141958073919872945025375517",
                    "156345042501500560997947285871748547822",
                    "190614891019192016033089170304439273891",
                    "206108665404963412418727983737632459797",
                    "311264598422190495706136753924968620857"
                ]
            },
            "signature_type": "Line",
            "source": "https://github.com/owasp/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e",
            "target": {
                "file": "src/test/java/com/google/json/JsonSanitizerTest.java"
            },
            "signature_version": "v1",
            "deprecated": false,
            "id": "CVE-2021-23899-64d45075"
        },
        {
            "digest": {
                "function_hash": "105576089061181633384202976764767995078",
                "length": 857.0
            },
            "signature_type": "Function",
            "source": "https://github.com/owasp/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e",
            "target": {
                "file": "src/test/java/com/google/json/FuzzyTest.java",
                "function": "testSanitizerLikesFuzzyWuzzyInputs"
            },
            "signature_version": "v1",
            "deprecated": false,
            "id": "CVE-2021-23899-6ec1aa4c"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "186860049387706252174710437488261035074",
                    "118898535682368993706272517936523330768",
                    "77754662574044532338395744154173700562",
                    "145565775578802715228502711527023464545",
                    "282013172137993518429794730838349675663",
                    "31819421180844700569333099366287102771",
                    "12372445699804039305383296177418473916"
                ]
            },
            "signature_type": "Line",
            "source": "https://github.com/owasp/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e",
            "target": {
                "file": "src/test/java/com/google/json/FuzzyTest.java"
            },
            "signature_version": "v1",
            "deprecated": false,
            "id": "CVE-2021-23899-f59aed4b"
        }
    ]
}