Findings

Jazzer has found the following vulnerabilities and bugs.

As Jazzer is used to fuzz JVM projects in OSS-Fuzz, further findings are listed on the OSS-Fuzz issue tracker.

If you find bugs with Jazzer, we would like to hear from you! Feel free to open an issue or submit a pull request.

ProjectBugStatusCVEfound by
hsqldbRemote code execution via prepared statement valuesfixedCVE-2022-41853OSS-Fuzz
protocolbuffers/protobufSmall protobuf messages can consume minutes of CPU timefixedCVE-2022-3171OSS-Fuzz
OpenJDKOutOfMemoryError via a small BMP imagefixedCVE-2022-21360Code Intelligence
OpenJDKOutOfMemoryError via a small TIFF imagefixedCVE-2022-21366Code Intelligence
protocolbuffers/protobufSmall protobuf messages can consume minutes of CPU timefixedCVE-2021-22569OSS-Fuzz
jhy/jsoupMore than 19 Bugs found in HTML and XML parserfixedCVE-2021-37714Code Intelligence
Apache/commons-compressInfinite loop when loading a crafted 7zfixedCVE-2021-35515Code Intelligence
Apache/commons-compressOutOfMemoryError when loading a crafted 7zfixedCVE-2021-35516Code Intelligence
Apache/commons-compressInfinite loop when loading a crafted TARfixedCVE-2021-35517Code Intelligence
Apache/commons-compressOutOfMemoryError when loading a crafted ZIPfixedCVE-2021-36090Code Intelligence
Apache/PDFBoxInfinite loop when loading a crafted PDFfixedCVE-2021-27807Code Intelligence
Apache/PDFBoxOutOfMemoryError when loading a crafted PDFfixedCVE-2021-27906Code Intelligence
netplex/json-smart-v1
netplex/json-smart-v2		JSONParser#parse throws an undeclared exceptionfixedCVE-2021-27568@GanbaruTobi
OWASP/json-sanitizerOutput can contain</script> and ]]>, which allows XSSfixedCVE-2021-23899Code Intelligence
OWASP/json-sanitizerOutput can be invalid JSON and undeclared exceptions can be thrownfixedCVE-2021-23900Code Intelligence
alibaba/fastjsonJSON#parse throws undeclared exceptionsfixedCode Intelligence
Apache/commons-compressInfinite loop and OutOfMemoryError in TarFilefixedCode Intelligence
Apache/commons-compressNullPointerException in ZipFilefixedCode Intelligence
Apache/commons-imagingParsers for multiple image formats throw undeclared exceptionsreportedCode Intelligence
Apache/PDFBoxVarious undeclared exceptionsfixedCode Intelligence
cbeust/klaxonDefault parser throws runtime exceptionsfixedCode Intelligence
FasterXML/jackson-dataformats-binaryCBORParser throws an undeclared exception due to missing bounds checks when parsing UnicodefixedCode Intelligence
FasterXML/jackson-dataformats-binaryCBORParser throws an undeclared exception on dangling arraysfixedCode Intelligence
ngageoint/tiff-javareadTiff Index Out Of Boundsfixed@raminfp
google/re2jNullPointerException in Pattern.compilereported@schirrmacher
google/gsonArrayIndexOutOfBounds in ParseStringfixed@DavidKorczynski
snakeyamlStackOverflowError in ComposerfixedCVE-2022-38749Code Intelligence
snakeyamlStackOverflowError in BaseConstructorfixedCVE-2022-38750Code Intelligence
snakeyamlStackOverflowError caused by regex parse failure in java.util.regexfixedCVE-2022-38751Code Intelligence
snakeyamlStackOverflowError caused by recursion in java.util.ArrayListfixedCVE-2022-38752Code Intelligence
snakeyamlStackOverflowError caused by recursion in java.util.ArrayListfixedCVE-2022-41854Code Intelligence
jettison-json/jettisonStackOverflowError in JSONTokenerfixedCVE-2022-40149Code Intelligence
jettison-json/jettisonOutOfMemoryError when parsing json objectsfixedCVE-2022-40150Code Intelligence
x-stream/xstreamStackOverflowError in xstream.corefixedCVE-2022-40151Code Intelligence
FasterXML/woodstoxStackOverflowError in WordResolverfixedCVE-2022-40152Code Intelligence
alibaba/fastjson2StackOverflowError in DefaultJSONParsernot fixedCVE-2022-40173Code Intelligence
alibaba/fastjson2StackOverflowError in JSONPathnot fixedCVE-2022-40174Code Intelligence
alibaba/fastjson2StackOverflowError in JSONPathnot fixedCVE-2022-40175Code Intelligence
alibaba/fastjson2StackOverflowError in DefaultJSONParsernot fixedCVE-2022-41855Code Intelligence
alibaba/fastjson2StackOverflowError in SerialContextnot fixedCVE-2022-41856Code Intelligence
Apache/commons-jxpathRemote code execution via crafted XPath expressionnot fixedCode Intelligence