jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c
CVE-2023-50246

5.5MEDIUM

Key Information:

Vendor

Jqlang

Status
Jq
Vendor
CVE Published:
13 December 2023

What is CVE-2023-50246?

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

Affected Version(s)

jq = 1.7

References

https://github.com/jqlang/jq/security/advisories/GHSA-686...
x_refsource_CONFIRM
https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4b...
x_refsource_MISC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.