ID CVE-2013-6371
Summary The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions.
References
Vulnerable Configurations
  • cpe:2.3:a:json-c_project:json-c:0.1:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.2:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.3:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.4:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.5:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.6:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.7:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.8:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.9:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.10:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:json-c_project:json-c:0.11:*:*:*:*:*:*:*
    cpe:2.3:a:json-c_project:json-c:0.11:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 29-08-2017 - 01:33)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1032322
title CVE-2013-6370 json-c: buffer overflow if size_t is larger than int
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment json-c is earlier than 0:0.11-4.el7_0
        oval oval:com.redhat.rhsa:tst:20140703005
      • comment json-c is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20140703006
    • AND
      • comment json-c-devel is earlier than 0:0.11-4.el7_0
        oval oval:com.redhat.rhsa:tst:20140703007
      • comment json-c-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20140703008
    • AND
      • comment json-c-doc is earlier than 0:0.11-4.el7_0
        oval oval:com.redhat.rhsa:tst:20140703009
      • comment json-c-doc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20140703010
rhsa
id RHSA-2014:0703
released 2014-06-10
severity Moderate
title RHSA-2014:0703: json-c security update (Moderate)
rpms
  • json-c-0:0.11-4.el7_0
  • json-c-devel-0:0.11-4.el7_0
  • json-c-doc-0:0.11-4.el7_0
refmap via4
bid 66715
confirm
fedora FEDORA-2014-5006
mandriva MDVSA-2014:079
secunia 57791
xf jsonc-cve20136371-dos(92541)
Last major update 29-08-2017 - 01:33
Published 22-04-2014 - 13:06
Back to Top