Lucene search
Cloud FoundryCFOUNDRY:040F4CCCBFA0D40A833FE27260678A99HistoryJun 24, 2020 - 12:00 a.m.
USN-4360-4: json-c vulnerability | Cloud Foundry
2020-06-2400:00:00
Cloud Foundry
www.cloudfoundry.org
21
0.001 Low
EPSS
Percentile
44.7%
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 14.04
- Canonical Ubuntu 16.04
- Canonical Ubuntu 18.04
Description
USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak that was reverted in USN-4360-2 and USN-4360-3. This update provides the correct fix update for CVE-2020-12762.
Original advisory details:
It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code.
CVEs contained in this USN include: CVE-2020-12762.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- cflinuxfs3
- All versions prior to 0.189.0
- Xenial Stemcells
- 170.x versions prior to 170.221
- 250.x versions prior to 250.200
- 315.x versions prior to 315.185
- 456.x versions prior to 456.114
- 621.x versions prior to 621.76
- All other stemcells not listed.
- CF Deployment
- All versions prior to v13.5.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- cflinuxfs3
- Upgrade All versions to 0.189.0 or greater
- Xenial Stemcells
- Upgrade 170.x versions to 170.221 or greater
- Upgrade 250.x versions to 250.200 or greater
- Upgrade 315.x versions to 315.185 or greater
- Upgrade 456.x versions to 456.114 or greater
- Upgrade 621.x versions to 621.76 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
- CF Deployment
- Upgrade All versions to v13.5.0 or greater
References
History
2020-05-28: Initial vulnerability report published.
| CPE | Name | Operator | Version |
|---|---|---|---|
| cflinuxfs3 | lt | 0.189.0 | |
| xenial stemcells | lt | 170.221 | |
| xenial stemcells | lt | 250.200 | |
| xenial stemcells | lt | 315.185 | |
| xenial stemcells | lt | 456.114 | |
| xenial stemcells | lt | 621.76 |
Related
openvas
openvas
Fedora: Security Advisory for json-c (FEDORA-2020-7eb7eac270)
2020-05-29 00:00:00
Huawei EulerOS: Security Advisory for json-c (EulerOS-SA-2020-1605)
2020-06-03 00:00:00
Debian: Security Advisory (DSA-4741-1)
2020-08-07 00:00:00
amazon
amazon
Medium: json-c
2020-06-23 05:59:00
Medium: json-c
2020-06-26 22:51:00
Medium: libfastjson
2023-06-05 16:39:00
nessus
nessus
EulerOS Virtualization for ARM 64 3.0.2.0 : json-c (EulerOS-SA-2020-1985)
2020-09-08 00:00:00
SUSE SLES12 Security Update : json-c (SUSE-SU-2022:3001-1)
2022-09-03 00:00:00
RHEL 9 : libfastjson (RHSA-2024:1154)
2024-03-05 00:00:00
redhatcve
redhatcve
CVE-2020-12762
2020-05-13 14:10:37
osv
osv
json-c - security update
2020-07-30 00:00:00
libfastjson - security update
2023-06-20 00:00:00
Moderate: json-c security and bug fix update
2021-11-09 13:10:09
rocky
rocky
json-c security and bug fix update
2021-11-09 13:10:09
nvd
nvd
CVE-2020-12762
2020-05-09 18:15:11
redhat
redhat
(RHSA-2021:4382) Moderate: json-c security and bug fix update
2021-11-09 13:10:09
(RHSA-2024:0573) Moderate: libfastjson security update
2024-01-30 12:53:18
(RHSA-2024:1154) Moderate: libfastjson security update
2024-03-05 16:29:16
mageia
mageia
Updated libfastjson packages fix security vulnerability
2023-05-06 21:19:07
Updated json-c packages fix security vulnerability
2020-05-30 00:18:57
freebsd
freebsd
json-c -- integer overflow and out-of-bounds write via a large JSON file
2020-05-02 00:00:00
oraclelinux
oraclelinux
json-c security and bug fix update
2021-11-16 00:00:00
libfastjson security update
2023-11-17 00:00:00
libfastjson security update
2023-11-11 00:00:00
debiancve
debiancve
CVE-2020-12762
2020-05-09 18:15:11
altlinux
altlinux
Security fix for the ALT Linux 9 package json-c version 0.13.1-alt2
2020-07-08 00:00:00
almalinux
almalinux
Moderate: libfastjson security update
2023-11-14 00:00:00
Moderate: json-c security and bug fix update
2021-11-09 13:10:09
Moderate: libfastjson security update
2023-11-07 00:00:00
cvelist
cvelist
CVE-2020-12762
2020-05-09 00:00:00
debian
debian
[SECURITY] [DLA 2301-1] json-c security update
2020-07-30 14:43:31
[SECURITY] [DLA 2228-1] json-c security update
2020-05-31 13:48:31
[SECURITY] [DLA 3461-1] libfastjson security update
2023-06-20 21:14:01
fedora
fedora
[SECURITY] Fedora 30 Update: json-c-0.13.1-12.fc30
2020-05-26 03:18:15
[SECURITY] Fedora 31 Update: json-c-0.13.1-12.fc31
2020-05-26 03:20:49
[SECURITY] Fedora 32 Update: json-c-0.13.1-12.fc32
2020-05-17 02:43:40
veracode
veracode
Arbitrary Code Execution
2020-08-06 21:35:13
cbl_mariner
cbl_mariner
CVE-2020-12762 affecting package json-c 0.14-3
2020-09-09 06:09:09
CVE-2020-12762 affecting package json-c for versions less than 0.14-3
2022-10-21 20:38:56
ubuntu
ubuntu
json-c vulnerability
2020-05-14 00:00:00
json-c vulnerability
2020-05-28 00:00:00
ibm
ibm
gentoo
gentoo
json-c: Multiple vulnerabilities
2020-06-15 00:00:00
suse
suse
Security update for json-c (important)
2022-01-25 00:00:00
Security update for json-c (important)
2022-02-17 00:00:00
cve
cve
CVE-2020-12762
2020-05-09 18:15:11
cloudfoundry
cloudfoundry
USN-4360-2: json-c regression | Cloud Foundry
2020-06-24 00:00:00
USN-4360-1: json-c vulnerability | Cloud Foundry
2020-06-24 00:00:00
ubuntucve
ubuntucve
CVE-2020-12762
2020-05-09 00:00:00
prion
prion
Integer overflow
2020-05-09 18:15:00
alpinelinux
alpinelinux
CVE-2020-12762
2020-05-09 18:15:11
photon
photon
Important Photon OS Security Update - PHSA-2020-0093
2020-05-20 00:00:00
Important Photon OS Security Update - PHSA-2020-3.0-0093
2020-05-20 00:00:00
ics
ics
Siemens SINEC INS
2022-09-15 12:00:00
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
2023-12-14 12:00:00