Lucene search

[email protected]CVE-2020-7712

HistoryAug 30, 2020 - 8:15 a.m.

CVE-2020-7712

2020-08-3008:15:00

CWE-78

[email protected]

web.nvd.nist.gov

cve-2020-7712

package json

arbitrary command injection

parselookup function

security vulnerability

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

87.3%

JSON

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

CPENameOperatorVersion
joyent:jsonjoyent jsonlt10.0.0
oracle:commerce_guided_searchoracle commerce guided searcheq11.3.2
oracle:timesten_in-memory_databaseoracle timesten in-memory databaselt21.1.1.1.0
oracle:financial_services_regulatory_reporting_with_agilereporteroracle financial services regulatory reporting with agilereportereq8.0.9.6.3
oracle:financial_services_crime_and_compliance_management_studiooracle financial services crime and compliance management studioeq8.0.8.2.0
oracle:financial_services_crime_and_compliance_management_studiooracle financial services crime and compliance management studioeq8.0.8.3.0

CPE	Name	Operator	Version
joyent:json	joyent json	lt	10.0.0
oracle:commerce_guided_search	oracle commerce guided search	eq	11.3.2
oracle:timesten_in-memory_database	oracle timesten in-memory database	lt	21.1.1.1.0
oracle:financial_services_regulatory_reporting_with_agilereporter	oracle financial services regulatory reporting with agilereporter	eq	8.0.9.6.3
oracle:financial_services_crime_and_compliance_management_studio	oracle financial services crime and compliance management studio	eq	8.0.8.2.0
oracle:financial_services_crime_and_compliance_management_studio	oracle financial services crime and compliance management studio	eq	8.0.8.3.0

References

github.com/trentm/json/issues/144

github.com/trentm/json/pull/145

lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320dbe661d5d8b33b%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79dfff8f5efa8cda61%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b3111696eafa9add802d%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f526daaafa4aaae%40%3Cdev.zookeeper.apache.org%3E

lists.apache.org/thread.html/r977a907ecbedf87ae5ba47d4c77639efb120f74d4d1b3de14a4ef4da%40%3Cissues.flink.apache.org%3E

lists.apache.org/thread.html/r9c6d28e5b9a9b3481b7d1f90f1c2f75cd1a5ade91038426e0fb095da%40%3Cdev.flink.apache.org%3E

lists.apache.org/thread.html/ra890c24b3d90be36daf48ae76b263acb297003db24c1122f8e4aaef2%40%3Cissues.flink.apache.org%3E

lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b80db7b818a5c55c%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea0718e6a65a9b1be5%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/rb89bd82dffec49f83b49e9ad625b1b63a408b3c7d1a60d6f049142a0%40%3Cissues.flink.apache.org%3E

lists.apache.org/thread.html/rba7ea4d75d6a8e5b935991d960d9b893fd30e576c4d3b531084ebd7d%40%3Cissues.flink.apache.org%3E

lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b917e8c43b6df4cc7%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfac39b7b698ee4db%40%3Cissues.zookeeper.apache.org%3E

lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941ddc2c2562c12966c%40%3Cissues.zookeeper.apache.org%3E

snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-608932

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-608931

snyk.io/vuln/SNYK-JS-JSON-597481

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2022.html

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

87.3%

JSON

Related for CVE-2020-7712

prion1 osv2 nodejs1 veracode1 github1 nessus1 oracle6