Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.FEDORA_2021-B670727349.NASLHistoryJan 20, 2021 - 12:00 a.m.
Fedora 32 : golang-github-buger-jsonparser (2021-b670727349)
2021-01-2000:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
14
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
58.9%
The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-b670727349 advisory.
- jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a GET call. (CVE-2020-35381)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable Network Security, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2021-b670727349
#
include('compat.inc');
if (description)
{
script_id(145190);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/29");
script_cve_id("CVE-2020-35381");
script_xref(name:"FEDORA", value:"2021-b670727349");
script_name(english:"Fedora 32 : golang-github-buger-jsonparser (2021-b670727349)");
script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the
FEDORA-2021-b670727349 advisory.
- jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of
range) via a GET call. (CVE-2020-35381)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2021-b670727349");
script_set_attribute(attribute:"solution", value:
"Update the affected golang-github-buger-jsonparser package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-35381");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/15");
script_set_attribute(attribute:"patch_publication_date", value:"2021/01/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/01/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:32");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:golang-github-buger-jsonparser");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Fedora Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item('Host/RedHat/release');
if (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
os_ver = os_ver[1];
if (! preg(pattern:"^32([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 32', 'Fedora ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);
pkgs = [
{'reference':'golang-github-buger-jsonparser-1.1.1-1.fc32', 'release':'FC32', 'rpm_spec_vers_cmp':TRUE}
];
flag = 0;
foreach package_array ( pkgs ) {
reference = NULL;
release = NULL;
sp = NULL;
cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (reference && release) {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'golang-github-buger-jsonparser');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| fedoraproject | fedora | 32 | cpe:/o:fedoraproject:fedora:32 |
| fedoraproject | fedora | golang-github-buger-jsonparser | p-cpe:/a:fedoraproject:fedora:golang-github-buger-jsonparser |
Related
nvd
nvd
CVE-2020-35381
2020-12-15 21:15:15
fedora
fedora
[SECURITY] Fedora 32 Update: golang-github-buger-jsonparser-1.1.1-1.fc32
2021-01-17 01:20:06
[SECURITY] Fedora 33 Update: golang-github-buger-jsonparser-1.1.1-1.fc33
2021-01-17 01:51:00
cve
cve
CVE-2020-35381
2020-12-15 21:15:15
github
github
Denial of Service in jsonparser
2022-05-25 19:21:53
ubuntucve
ubuntucve
CVE-2020-35381
2020-12-15 00:00:00
debiancve
debiancve
CVE-2020-35381
2020-12-15 21:15:15
prion
prion
Out-of-bounds
2020-12-15 21:15:00
openvas
openvas
osv
osv
Panic due to improper input validation in github.com/buger/jsonparser
2021-04-14 20:04:52
Denial of Service in jsonparser
2022-05-25 19:21:53
CVE-2020-35381
2020-12-15 21:15:15
redhatcve
redhatcve
CVE-2020-35381
2020-12-16 20:25:19
nessus
nessus
Fedora 33 : golang-github-buger-jsonparser (2021-5676f1be7d)
2021-01-20 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-12-22 04:19:36
cvelist
cvelist
CVE-2020-35381
2020-12-15 20:14:09
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
58.9%
Related for FEDORA_2021-B670727349.NASL