CVE-2023-50246Classic Buffer Overflow in JQ

CWE-120Classic Buffer OverflowCWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds Write9 documents5 sources
Severity
7.5HIGHNVD
NVD5.5CNA6.2OSV5.5
EPSS
0.3%
top 50.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedDec 13

Description

jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Debianjqlang/jq< 1.7.1-1+1
CVEListV5jqlang/jq= 1.7
NVDjqlang/jq1.7, 1.7-37-g88f01a7+1

Patches

Patch: www.openwall.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

4
OSV
CVE-2023-50246: jq is a command-line JSON processor2023-12-13
CVEList
jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c2023-12-13
OSV
CVE-2023-49355: decToString in decNumber/decNumber2023-12-11
CVEList
CVE-2023-49355: decToString in decNumber/decNumber2023-12-11

📋Vendor Advisories

3
Red Hat
jq: heap buffer overflow in function decToString() in decNumber.c2023-12-13
Debian
CVE-2023-50246: jq - jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buf...2023
Debian
CVE-2023-49355: jq - decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds ...2023
CVE-2023-50246 — Classic Buffer Overflow in Jqlang JQ | cvebase