CVE-2023-34623
📋 TL;DR
This vulnerability in jtidy allows attackers to create denial of service conditions or other unspecified impacts by exploiting cyclic dependencies in crafted objects. It affects all systems using jtidy through version r938. The impact severity depends on how jtidy is integrated and what data it processes.
💻 Affected Systems
- jtidy
📦 What is this software?
Jtidy by Jtidy Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash or resource exhaustion leading to prolonged downtime, potentially enabling further attacks if jtidy is part of critical processing pipelines.
Likely Case
Denial of service through application crashes or high resource consumption when processing malicious input, disrupting dependent services.
If Mitigated
Limited impact with proper input validation and resource limits, potentially causing temporary processing delays but no system compromise.
🎯 Exploit Status
Exploitation requires sending crafted data to jtidy processing functions, but no public exploit code has been documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after r938
Vendor Advisory: https://github.com/trajano/jtidy/issues/4
Restart Required: Yes
Instructions:
1. Update jtidy dependency to version after r938. 2. Update pom.xml or build.gradle to reference fixed version. 3. Rebuild and redeploy affected applications. 4. Restart services using jtidy.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to reject or sanitize data containing cyclic dependencies before passing to jtidy.
Resource limiting
allConfigure memory and CPU limits on processes using jtidy to contain potential DoS impact.
🧯 If You Can't Patch
- Implement network segmentation to isolate jtidy processing from critical systems
- Deploy WAF rules to detect and block cyclic dependency patterns in input
🔍 How to Verify
Check if Vulnerable:
Check jtidy version in dependencies: grep -r 'jtidy' pom.xml build.gradle gradle.properties, then verify version is r938 or earlier.Check Version:
java -cp jtidy.jar org.w3c.tidy.Version or check dependency manifest filesVerify Fix Applied:
Confirm jtidy version is after r938 and test with sample inputs containing cyclic dependencies to ensure proper handling.📡 Detection & Monitoring
Log Indicators:
- Stack traces containing jtidy classes with OutOfMemoryError or StackOverflowError
- Unusually high memory/CPU usage by Java processes using jtidy
Network Indicators:
- Repeated requests containing complex nested structures to jtidy endpoints
- Sudden traffic spikes to HTML/XML processing services
SIEM Query:
source="application.logs" AND ("OutOfMemoryError" OR "StackOverflowError") AND "jtidy"