CVE-2022-23459 - OpenCVE

Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Json\+\+ Project	Json\+\+

Configuration 1 [-]

OR	cpe:2.3:a:json\+\+_project:json\+\+:1.0.0:::::::*
	cpe:2.3:a:json\+\+_project:json\+\+:1.0.1:::::::*

No data.

References

Link	Providers
https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-19T19:00:16

Updated: 2024-08-03T03:43:46.049Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23459

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-19T19:15:07.600

Modified: 2023-07-13T17:16:54.100

Link: CVE-2022-23459

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Jsonxx", "vendor": "hjiang", "versions": [{"lessThanOrEqual": "1.0.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-415", "description": "CWE-415 Double Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-19T19:00:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx"}], "source": {"discovery": "UNKNOWN"}, "title": "Double free or Use after Free in Value class of Jsonxx", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-23459", "STATE": "PUBLIC", "TITLE": "Double free or Use after Free in Value class of Jsonxx"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jsonxx", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.0.1"}]}}]}, "vendor_name": "hjiang"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416 Use After Free"}]}, {"description": [{"lang": "eng", "value": "CWE-415 Double Free"}]}]}, "references": {"reference_data": [{"name": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx", "refsource": "MISC", "url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.049Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-23459", "datePublished": "2022-08-19T19:00:16", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:43:46.049Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:json\\+\\+_project:json\\+\\+:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CE3FE9F1-CD11-4BA9-86D9-9F4887D8814D", "vulnerable": true}, {"criteria": "cpe:2.3:a:json\\+\\+_project:json\\+\\+:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "EA7B9E9A-8AAC-4348-A21F-CF6273294E63", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement."}, {"lang": "es", "value": "Jsonxx o Json++ es un analizador, escritor y lector de JSON escrito en C++. En versiones afectadas de jsonxx el uso de la clase Value puede conllevar a una corrupci\u00f3n de memoria por medio de una doble liberaci\u00f3n o de un uso de memoria previamente liberada. La clase Value presenta un operador de asignaci\u00f3n por defecto que puede ser usado con tipos de punteros que pueden apuntar a datos alterables donde el propio puntero no es actualizado. Este problema se presenta en el commit actual del proyecto jsonxx. El proyecto en s\u00ed ha sido archivado y no son esperadas actualizaciones. Es recomendado a usuarios buscar un sustituto."}], "id": "CVE-2022-23459", "lastModified": "2023-07-13T17:16:54.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-19T19:15:07.600", "references": [{"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}]}