CVE-2023-50268 (GCVE-0-2023-50268)
Vulnerability from cvelistv5
Published
2023-12-13 20:49
Modified
2025-02-13 17:19
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-121 - Stack-based Buffer Overflow
  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Summary
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
References
security-advisories@github.comhttp://www.openwall.com/lists/oss-security/2023/12/15/10Mailing List, Patch, Third Party Advisory
security-advisories@github.comhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771Issue Tracking, Mailing List
security-advisories@github.comhttps://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6bPatch
security-advisories@github.comhttps://github.com/jqlang/jq/pull/2804Issue Tracking, Patch
security-advisories@github.comhttps://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8jExploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/12/15/10Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771Issue Tracking, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6bPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/jqlang/jq/pull/2804Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8jExploit, Vendor Advisory
Impacted products
Vendor Product Version
jqlang jq Version: = 1.7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:16:46.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j"
          },
          {
            "name": "https://github.com/jqlang/jq/pull/2804",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jqlang/jq/pull/2804"
          },
          {
            "name": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b"
          },
          {
            "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/15/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-16T00:06:21.466Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j"
        },
        {
          "name": "https://github.com/jqlang/jq/pull/2804",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jqlang/jq/pull/2804"
        },
        {
          "name": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b"
        },
        {
          "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/12/15/10"
        }
      ],
      "source": {
        "advisory": "GHSA-7hmr-442f-qc8j",
        "discovery": "UNKNOWN"
      },
      "title": "jq has stack-based buffer overflow in decNaNs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-50268",
    "datePublished": "2023-12-13T20:49:54.982Z",
    "dateReserved": "2023-12-05T20:42:59.380Z",
    "dateUpdated": "2025-02-13T17:19:02.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-50268\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-12-13T21:15:09.360\",\"lastModified\":\"2024-11-21T08:36:47.253\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.\"},{\"lang\":\"es\",\"value\":\"jq es un procesador JSON de l\u00ednea de comandos. La versi\u00f3n 1.7 es vulnerable al desbordamiento del b\u00fafer basado en pila en compilaciones que utilizan decNumber. La versi\u00f3n 1.7.1 contiene un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"},{\"lang\":\"en\",\"value\":\"CWE-121\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jqlang:jq:1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB4D6ED1-816E-4FB7-B9EE-188B66543156\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/12/15/10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Mailing List\"]},{\"url\":\"https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jqlang/jq/pull/2804\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/12/15/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Mailing List\"]},{\"url\":\"https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jqlang/jq/pull/2804\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.