CVE-2023-3040 - OpenCVE

A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudflare	Lua-resty-json

Configuration 1 [-]

cpe:2.3:a:cloudflare:lua-resty-json:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/cloudflare/lua-resty-json/pull/14
https://github.com/cloudflare/lua-resty-json/security/advisories/GHSA-h8rp-9622-83pg

History

No history.

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2023-06-14T11:54:51.131Z

Updated: 2024-08-02T06:41:04.135Z

Reserved: 2023-06-01T15:55:07.745Z

Link: CVE-2023-3040

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-06-14T12:15:09.730

Modified: 2023-06-28T19:16:52.077

Link: CVE-2023-3040

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3040", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-06-01T15:55:07.745Z", "datePublished": "2023-06-14T11:54:51.131Z", "dateUpdated": "2024-08-02T06:41:04.135Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "lua-resty-json", "platforms": ["Windows", "Linux", "MacOS", "x86", "64 bit", "32 bit"], "product": "lua-resty-json", "vendor": "Cloudflare", "versions": [{"changes": [{"at": "14", "status": "unaffected"}], "lessThan": "14", "status": "affected", "version": "1", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Carlos L\u00f3pez (00xc)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data</span>. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.</span><br>"}], "value": "A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.\n"}], "impacts": [{"capecId": "CAPEC-540", "descriptions": [{"lang": "en", "value": "CAPEC-540 Overread Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-06-14T11:55:19.181Z"}, "references": [{"url": "https://github.com/cloudflare/lua-resty-json/pull/14"}, {"url": "https://github.com/cloudflare/lua-resty-json/security/advisories/GHSA-h8rp-9622-83pg"}], "source": {"discovery": "EXTERNAL"}, "title": "Out of Bounds Access Leading to Undefined Behavior", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:04.135Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/lua-resty-json/pull/14", "tags": ["x_transferred"]}, {"url": "https://github.com/cloudflare/lua-resty-json/security/advisories/GHSA-h8rp-9622-83pg", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:lua-resty-json:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1AEFCAA-2DCC-4044-A22F-A8B8AC78C595", "versionEndExcluding": "2023-05-05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.\n"}], "id": "CVE-2023-3040", "lastModified": "2023-06-28T19:16:52.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2023-06-14T12:15:09.730", "references": [{"source": "cna@cloudflare.com", "tags": ["Patch"], "url": "https://github.com/cloudflare/lua-resty-json/pull/14"}, {"source": "cna@cloudflare.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cloudflare/lua-resty-json/security/advisories/GHSA-h8rp-9622-83pg"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}