CVE-2021-23899
📋 TL;DR
CVE-2021-23899 is a vulnerability in OWASP json-sanitizer versions before 1.2.2 where the sanitizer fails to properly escape closing SCRIPT tags and CDATA section delimiters. This allows attackers to inject arbitrary HTML or XML into embedding documents when processing crafted JSON input. Any application using vulnerable versions of OWASP json-sanitizer to sanitize JSON before embedding it in HTML/XML documents is affected.
💻 Affected Systems
- OWASP json-sanitizer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of web application security leading to cross-site scripting (XSS) attacks, data theft, session hijacking, and potential remote code execution depending on application context.
Likely Case
Cross-site scripting (XSS) attacks allowing attackers to steal user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users.
If Mitigated
Limited impact with proper output encoding and additional security layers, though injection vectors remain possible.
🎯 Exploit Status
Exploitation requires the application to embed sanitized JSON output in HTML/XML contexts. Proof-of-concept examples are available in the GitHub commit diff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2
Vendor Advisory: https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0
Restart Required: No
Instructions:
1. Update json-sanitizer dependency to version 1.2.2 or later. 2. For Maven projects: Update pom.xml to <version>1.2.2</version>. 3. For Gradle projects: Update build.gradle to implementation 'com.google.json-sanitizer:json-sanitizer:1.2.2'. 4. Rebuild and redeploy application.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement additional input validation and context-aware output encoding for JSON data before embedding in HTML/XML.
Content Security Policy
allImplement strict Content Security Policy headers to mitigate XSS impact.
🧯 If You Can't Patch
- Implement additional output encoding layers specifically for SCRIPT and CDATA delimiters
- Isolate json-sanitizer usage to non-HTML/XML contexts only
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle, package.json) for json-sanitizer version below 1.2.2.Check Version:
For Maven: mvn dependency:tree | grep json-sanitizer; For Gradle: gradle dependencies | grep json-sanitizerVerify Fix Applied:
Verify json-sanitizer version is 1.2.2 or higher in dependencies and test with known malicious JSON inputs containing SCRIPT and CDATA delimiters.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of JSON processing errors
- Increased sanitization failures
Network Indicators:
- HTTP requests containing crafted JSON with SCRIPT or CDATA patterns
SIEM Query:
web_requests WHERE request_body CONTAINS '</script>' OR request_body CONTAINS ']]>' AND uri_path CONTAINS 'json'🔗 References
- https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
- https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
- https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0
- https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
- https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
- https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0
