Lucene search

[email protected]CVE-2023-49355

HistoryDec 11, 2023 - 7:15 a.m.

CVE-2023-49355

2023-12-1107:15:07

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-49355

decnumber.c

security vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.

Affected configurations

NVD

Node

jqlangjqMatch1.7-37-g88f01a7

CPENameOperatorVersion
jqlang:jqjqlang jqeq1.7-37-g88f01a7

CPE	Name	Operator	Version
jqlang:jq	jqlang jq	eq	1.7-37-g88f01a7

References

github.com/jqlang/jq/blob/88f01a741c8d63c4d1b5bc3ef61520c6eb93edaa/src/decNumber/decNumber.c#L3764

github.com/jqlang/jq/tree/88f01a741c8d63c4d1b5bc3ef61520c6eb93edaa

github.com/linzc21/bug-reports/blob/main/reports/jq/1.7-37-g88f01a7/heap-buffer-overflow/CVE-2023-49355.md

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

Related for CVE-2023-49355

prion2 nvd2 ubuntucve2 debiancve2 cvelist2 veracode2 alpinelinux1 cve1 redhatcve1 osv1 redos1