Jazzer has found the following vulnerabilities and bugs.
As Jazzer is used to fuzz JVM projects in OSS-Fuzz, further findings are listed on the OSS-Fuzz issue tracker.
If you find bugs with Jazzer, we would like to hear from you! Feel free to open an issue or submit a pull request.
| Project | Bug | Status | CVE | found by |
|---|---|---|---|---|
| mysql/mysql-connector-j | Remote code execution via abusing connection property propertiesTransform | fixed | CVE-2023-21971 | OSS-Fuzz |
| hsqldb | Remote code execution via prepared statement values | fixed | CVE-2022-41853 | OSS-Fuzz |
| spring-projects/spring-framework | OutOfMemoryError via specially crafted SpEL expressions |
fixed | CVE-2023-20863 | OSS-Fuzz |
| spring-projects/spring-framework | OutOfMemoryError via specially crafted SpEL expressions |
fixed | CVE-2023-20861 | OSS-Fuzz |
| protocolbuffers/protobuf | Small protobuf messages can consume minutes of CPU time | fixed | CVE-2022-3171 | OSS-Fuzz |
| OpenJDK | OutOfMemoryError via a small BMP image |
fixed | CVE-2022-21360 | Code Intelligence |
| OpenJDK | OutOfMemoryError via a small TIFF image |
fixed | CVE-2022-21366 | Code Intelligence |
| protocolbuffers/protobuf | Small protobuf messages can consume minutes of CPU time | fixed | CVE-2021-22569 | OSS-Fuzz |
| jhy/jsoup | More than 19 Bugs found in HTML and XML parser | fixed | CVE-2021-37714 | Code Intelligence |
| Apache/commons-compress | Infinite loop when loading a crafted 7z | fixed | CVE-2021-35515 | Code Intelligence |
| Apache/commons-compress | OutOfMemoryError when loading a crafted 7z |
fixed | CVE-2021-35516 | Code Intelligence |
| Apache/commons-compress | Infinite loop when loading a crafted TAR | fixed | CVE-2021-35517 | Code Intelligence |
| Apache/commons-compress | OutOfMemoryError when loading a crafted ZIP |
fixed | CVE-2021-36090 | Code Intelligence |
| Apache/PDFBox | Infinite loop when loading a crafted PDF | fixed | CVE-2021-27807 | Code Intelligence |
| Apache/PDFBox | OutOfMemoryError when loading a crafted PDF | fixed | CVE-2021-27906 | Code Intelligence |
| netplex/json-smart-v1 netplex/json-smart-v2 |
JSONParser#parse throws an undeclared exception |
fixed | CVE-2021-27568 | @GanbaruTobi |
| OWASP/json-sanitizer | Output can contain</script> and ]]>, which allows XSS |
fixed | CVE-2021-23899 | Code Intelligence |
| OWASP/json-sanitizer | Output can be invalid JSON and undeclared exceptions can be thrown | fixed | CVE-2021-23900 | Code Intelligence |
| alibaba/fastjson | JSON#parse throws undeclared exceptions |
fixed | Code Intelligence | |
| Apache/commons-compress | Infinite loop and OutOfMemoryError in TarFile |
fixed | Code Intelligence | |
| Apache/commons-compress | NullPointerException in ZipFile |
fixed | Code Intelligence | |
| Apache/commons-imaging | Parsers for multiple image formats throw undeclared exceptions | reported | Code Intelligence | |
| Apache/PDFBox | Various undeclared exceptions | fixed | Code Intelligence | |
| cbeust/klaxon | Default parser throws runtime exceptions | fixed | Code Intelligence | |
| FasterXML/jackson-dataformats-binary | CBORParser throws an undeclared exception due to missing bounds checks when parsing Unicode |
fixed | Code Intelligence | |
| FasterXML/jackson-dataformats-binary | CBORParser throws an undeclared exception on dangling arrays |
fixed | Code Intelligence | |
| ngageoint/tiff-java | readTiff Index Out Of Bounds |
fixed | @raminfp | |
| google/re2j | NullPointerException in Pattern.compile |
reported | @schirrmacher | |
| google/gson | ArrayIndexOutOfBounds in ParseString |
fixed | @DavidKorczynski | |
| snakeyaml | StackOverflowError in Composer |
fixed | CVE-2022-38749 | Code Intelligence |
| snakeyaml | StackOverflowError in BaseConstructor |
fixed | CVE-2022-38750 | Code Intelligence |
| snakeyaml | StackOverflowError caused by regex parse failure in java.util.regex |
fixed | CVE-2022-38751 | Code Intelligence |
| snakeyaml | StackOverflowError caused by recursion in java.util.ArrayList |
fixed | CVE-2022-38752 | Code Intelligence |
| snakeyaml | StackOverflowError caused by recursion in java.util.ArrayList |
fixed | CVE-2022-41854 | Code Intelligence |
| jettison-json/jettison | StackOverflowError in JSONTokener |
fixed | CVE-2022-40149 | Code Intelligence |
| jettison-json/jettison | OutOfMemoryError when parsing json objects |
fixed | CVE-2022-40150 | Code Intelligence |
| x-stream/xstream | StackOverflowError in xstream.core |
fixed | CVE-2022-40151 | Code Intelligence |
| FasterXML/woodstox | StackOverflowError in WordResolver |
fixed | CVE-2022-40152 | Code Intelligence |
| HtmlUnit/htmlunit | StackOverflowError in DomNode |
fixed | CVE-2023-2798 | OSS-Fuzz |
| alibaba/fastjson2 | StackOverflowError in DefaultJSONParser |
not fixed | CVE-2022-40173 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in JSONPath |
not fixed | CVE-2022-40174 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in JSONPath |
not fixed | CVE-2022-40175 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in DefaultJSONParser |
not fixed | CVE-2022-41855 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in SerialContext |
not fixed | CVE-2022-41856 | Code Intelligence |
| Apache/commons-jxpath | Remote code execution via crafted XPath expression |
not fixed | Code Intelligence |