CVE-2023-50246
published 2023-12-13CVE-2023-50246: jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
PriorityP421medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.51%
39.8th percentile
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jq | < jq 1.7.1-1 (forky) | jq 1.7.1-1 (forky) |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | >= 0 < 1.7.1-1 | 1.7.1-1 |
| jqlang | jq | >= 0 < 1.7.1-1 | 1.7.1-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: heap buffer overflow in function decToString() in decNumber.c
vendor_redhat·2023-12-13·CVSS 6.2
CVE-2023-50246 [MEDIUM] CWE-120 jq: heap buffer overflow in function decToString() in decNumber.c
jq: heap buffer overflow in function decToString() in decNumber.c
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
A heap-based buffer overflow vulnerability was found in the decToString() function in decNumber.c in the Jq project. This issue occurs when submitting malicious input to the application, leading to an application crash and causing a denial of service.
Package: jq (Red Hat Ceph Storage 4) - Not affected
Package: jq (Red Hat Enterprise Linux 8) - Not affected
Package: jq (Red Hat Enterprise Linux 9) - Not affected
Debian
CVE-2023-50246: jq - jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buf...
vendor_debian·2023·CVSS 6.2
CVE-2023-50246 [MEDIUM] CVE-2023-50246: jq - jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buf...
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.7.1-1)
sid: resolved (fixed in 1.7.1-1)
trixie: resolved (fixed in 1.7.1-1)
Debian
CVE-2023-49355: jq - decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds ...
vendor_debian·2023·CVSS 7.5
CVE-2023-49355 [HIGH] CVE-2023-49355: jq - decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds ...
decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.7.1-1)
sid: resolved (fixed in 1.7.1-1)
trixie: resolved (fixed in 1.7.1-1)
OSV
CVE-2023-50246: jq is a command-line JSON processor
osv·2023-12-13·CVSS 5.5
CVE-2023-50246 [MEDIUM] CVE-2023-50246: jq is a command-line JSON processor
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
OSV
CVE-2023-49355: decToString in decNumber/decNumber
osv·2023-12-11·CVSS 7.5
CVE-2023-49355 [HIGH] CVE-2023-49355: decToString in decNumber/decNumber
decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/12/15/10https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vchttp://www.openwall.com/lists/oss-security/2023/12/15/10https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc
2023-12-13
Published