6.2

CVE-2023-50268

Exploit

jq has stack-based buffer overflow in decNaNs

jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JqlangJq Version1.7
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.44% 0.353
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 6.2 2.5 3.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

http://www.openwall.com/lists/oss-security/2023/12/15/10
Patch
Third Party Advisory
Mailing List
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771
Mailing List
Issue Tracking
https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
Patch
https://github.com/jqlang/jq/pull/2804
Patch
Issue Tracking
https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
Vendor Advisory
Exploit