Lucene search

K

[email protected]NVD:CVE-2023-49355

HistoryDec 11, 2023 - 7:15 a.m.

CVE-2023-49355

2023-12-1107:15:07

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-49355

jq

out-of-bounds write

dectostring

decnumber.c

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.9%

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.

Affected configurations

NVD

Node

jqlangjqMatch1.7-37-g88f01a7

References

github.com/jqlang/jq/blob/88f01a741c8d63c4d1b5bc3ef61520c6eb93edaa/src/decNumber/decNumber.c#L3764

github.com/jqlang/jq/tree/88f01a741c8d63c4d1b5bc3ef61520c6eb93edaa

github.com/linzc21/bug-reports/blob/main/reports/jq/1.7-37-g88f01a7/heap-buffer-overflow/CVE-2023-49355.md

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.9%

Related for NVD:CVE-2023-49355

cve2 ubuntucve2 prion2 cvelist2 debiancve2 alpinelinux1 veracode2 nvd1 redhatcve1 osv1 redos1