CVE-2023-50268
published 2023-12-13CVE-2023-50268: jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.44%
35.5th percentile
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jq | < jq 1.7.1-1 (forky) | jq 1.7.1-1 (forky) |
| jqlang | jq | — | — |
| jqlang | jq | — | — |
| jqlang | jq | >= 0 < 1.7.1-1 | 1.7.1-1 |
| jqlang | jq | >= 0 < 1.7.1-1 | 1.7.1-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian6.2LOW
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: stack-based buffer overflow in builds using decNumber
vendor_redhat·2023-12-13·CVSS 6.2
CVE-2023-50268 [MEDIUM] CWE-120 jq: stack-based buffer overflow in builds using decNumber
jq: stack-based buffer overflow in builds using decNumber
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
A stack-based buffer overflow vulnerability was found in the Jq project. This issue occurs when submitting malicious input to the application, leading to an application crash and causing a denial of service.
Package: jq (Red Hat Ceph Storage 4) - Not affected
Package: jq (Red Hat Enterprise Linux 8) - Not affected
Package: jq (Red Hat Enterprise Linux 9) - Not affected
Debian
CVE-2023-50268: jq - jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based bu...
vendor_debian·2023·CVSS 6.2
CVE-2023-50268 [MEDIUM] CVE-2023-50268: jq - jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based bu...
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.7.1-1)
sid: resolved (fixed in 1.7.1-1)
trixie: resolved (fixed in 1.7.1-1)
OSV
CVE-2023-50268: jq is a command-line JSON processor
osv·2023-12-13·CVSS 5.5
CVE-2023-50268 [MEDIUM] CVE-2023-50268: jq is a command-line JSON processor
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/12/15/10https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6bhttps://github.com/jqlang/jq/pull/2804https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8jhttp://www.openwall.com/lists/oss-security/2023/12/15/10https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6bhttps://github.com/jqlang/jq/pull/2804https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
2023-12-13
Published