Login Sign Up

CVE-2024-23078

9.1 CRITICAL
Denial of Service

📋 TL;DR

CVE-2024-23078 is a disputed vulnerability in JGraphT Core v1.5.2 where a NullPointerException could occur in the ToleranceDoubleComparator::compare method. If exploited, this could cause denial of service in applications using JGraphT for graph processing. The vulnerability is disputed by third parties who question the evidence of actual exploitability.

💻 Affected Systems

Products:
  • JGraphT Core
Versions: v1.5.2
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using ToleranceDoubleComparator with null Double parameters

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service for graph processing functionality

🟠

Likely Case

Application instability or crashes when processing specific graph data with null values

🟢

If Mitigated

Minimal impact with proper input validation and exception handling

🌐 Internet-Facing: LOW - Requires specific graph processing functionality and disputed exploitability
🏢 Internal Only: LOW - Limited to applications using JGraphT's ToleranceDoubleComparator with null inputs

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Vulnerability is disputed by multiple third parties; requires specific conditions to trigger

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available due to disputed nature of vulnerability

🔧 Temporary Workarounds

Input validation

all

Add null checks before calling ToleranceDoubleComparator::compare method

// Java code: if (double1 != null && double2 != null) { comparator.compare(double1, double2); }

Exception handling

all

Wrap comparator calls in try-catch blocks to handle NullPointerException

// Java code: try { comparator.compare(double1, double2); } catch (NullPointerException e) { // Handle exception }

🧯 If You Can't Patch

  • Implement input validation to prevent null values from reaching the comparator
  • Add defensive exception handling around graph processing operations

🔍 How to Verify

Check if Vulnerable:

Check if application uses JGraphT v1.5.2 and calls ToleranceDoubleComparator::compare with potentially null Double parameters

Check Version:

Check Maven/Gradle dependencies or JGraphT version in classpath

Verify Fix Applied:

Test with null Double inputs to verify application handles them gracefully without crashes

📡 Detection & Monitoring

Log Indicators:

  • NullPointerException stack traces containing org.jgrapht.alg.util.ToleranceDoubleComparator::compare

Network Indicators:

  • None - local application crash only

SIEM Query:

source="application.logs" AND "NullPointerException" AND "ToleranceDoubleComparator"

📊 Metadata

CVE ID: CVE-2024-23078
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-476
Published: April 8, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23078, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)