Out of Bounds Access Leading to Undefined Behavior
CVE-2023-3040

7.5HIGH

Key Information:

Vendor: Cloudflare
Status: lua-resty-json
Vendor: CVE Published:; 14 June 2023

What is CVE-2023-3040?

The lua-resty-json package by Cloudflare contains a vulnerability stemming from an out of bounds access in its debug function. This issue, present in versions prior to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a, could allow an attacker to exploit the function when parsing untrusted data, potentially leading to a Denial of Service (DoS) condition. However, it is essential to note that this debug function is primarily utilized for testing and demonstration purposes, meaning it is not easily exploitable in typical deployment scenarios. For detailed information on this vulnerability, refer to the official advisory and pull request links.

Affected Version(s)

lua-resty-json Windows 1 < 14

References

https://github.com/cloudflare/lua-resty-json/pull/14

https://github.com/cloudflare/lua-resty-json/security/adv...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2023
Vulnerability Reserved
Jun 1, 2023

Credit

Carlos López (00xc)