{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50268", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-05T20:42:59.380Z", "datePublished": "2023-12-13T20:49:54.982Z", "dateUpdated": "2024-08-02T22:16:46.221Z"}, "containers": {"cna": {"title": "jq has stack-based buffer overflow in decNaNs", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-120", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j"}, {"name": "https://github.com/jqlang/jq/pull/2804", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/pull/2804"}, {"name": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b"}, {"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771", "tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/15/10"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "= 1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-13T20:49:54.982Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue."}], "source": {"advisory": "GHSA-7hmr-442f-qc8j", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.221Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j"}, {"name": "https://github.com/jqlang/jq/pull/2804", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jqlang/jq/pull/2804"}, {"name": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b"}, {"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/15/10", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jqlang:jq:1.7:*:*:*:*:*:*:*", "matchCriteriaId": "AB4D6ED1-816E-4FB7-B9EE-188B66543156", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue."}, {"lang": "es", "value": "jq es un procesador JSON de l\u00ednea de comandos. La versi\u00f3n 1.7 es vulnerable al desbordamiento del b\u00fafer basado en pila en compilaciones que utilizan decNumber. La versi\u00f3n 1.7.1 contiene un parche para este problema."}], "id": "CVE-2023-50268", "lastModified": "2023-12-19T01:32:51.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-13T21:15:09.360", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/12/15/10"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Mailing List"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/jqlang/jq/pull/2804"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jq: stack-based buffer overflow in builds using decNumber", "id": "2254468", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254468"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-120|CWE-121)", "details": ["jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.", "A stack-based buffer overflow vulnerability was found in the Jq project. This issue occurs when submitting malicious input to the application, leading to an application crash and causing a denial of service."], "name": "CVE-2023-50268", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-12-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-50268\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-50268\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771\nhttps://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b\nhttps://github.com/jqlang/jq/pull/2804\nhttps://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j"], "threat_severity": "Moderate", "upstream_fix": "jq 1.7.1"}