CVE-2024-39684

2024-07-0919:15:12

CWE-190

GitHub_M

web.nvd.nist.gov

tencent rapidjson

integer overflow

privilege escalation

json text

crafted file

elevation of privilege

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

9.2%

JSON

Tencent RapidJSON is vulnerable to privilege escalation due to an integer overflow in the GenericReader::ParseNumber() function of include/rapidjson/reader.h when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer overflow vulnerability (when the file is parsed), leading to elevation of privilege.

Affected configurations

Vulners

Vulnrichment

Node

tencentrapidjsonRange≤1.1.0

VendorProductVersionCPE
tencentrapidjson*cpe:2.3:a:tencent:rapidjson:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tencent	rapidjson	*	cpe:2.3:a:tencent:rapidjson::::::::

CNA Affected

[
  {
    "vendor": "Tencent",
    "product": "RapidJSON",
    "versions": [
      {
        "version": "<= 1.1.0",
        "status": "affected"
      }
    ]
  }
]