CVE-2018-1000217 — Use After Free in Cjson

CWE-416 — Use After Free5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 39.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Davegamble Cjson

Timeline

PublishedAug 20

Latest updateMay 14

Description

Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability in cJSON library that can result in Possible crash, corruption of data or even RCE. This attack appear to be exploitable via Depends on how application uses cJSON library. If application provides network interface then can be exploited over a network, otherwise just local.. This vulnerability appears to have been fixed in 1.7.4.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDdavegamble/cjson< 1.7.4

🔴Vulnerability Details

GHSA

GHSA-cmxj-54mf-j4q3: Dave Gamble cJSON version 1↗2022-05-14

▶

CVEList

CVE-2018-1000217: Dave Gamble cJSON version 1↗2018-08-20

▶

📋Vendor Advisories

Microsoft

Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability↗2018-08-14

▶

Debian

CVE-2018-1000217: cjson - Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free v...↗2018

▶