CVE-2020-12762

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

References

https://github.com/json-c/json-c/pull/592

https://github.com/rsyslog/libfastjson/issues/161

https://lists.fedoraproject.org/archives/list/[email protected]/message/CQQRRGBQCAWNCCJ2HN3W5SSCZ4QGMXQI/

https://usn.ubuntu.com/4360-1/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CBR36IXYBHITAZFB5PFBJTED22WO5ONB/

https://lists.fedoraproject.org/archives/list/[email protected]/message/W226TSCJBEOXDUFVKNWNH7ETG7AR6MCS/

https://lists.debian.org/debian-lts-announce/2020/05/msg00032.html

https://lists.debian.org/debian-lts-announce/2020/05/msg00034.html

https://usn.ubuntu.com/4360-4/

https://security.gentoo.org/glsa/202006-13

https://lists.debian.org/debian-lts-announce/2020/07/msg00031.html

https://www.debian.org/security/2020/dsa-4741

https://security.netapp.com/advisory/ntap-20210521-0001/

Details

Source: MITRE

Published: 2020-05-09

Updated: 2021-05-21

Type: CWE-787

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 7.8

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:json-c_project:json-c:*:*:*:*:*:*:*:* versions up to 0.14 (inclusive)

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
155419Oracle Linux 8 : json-c (ELSA-2021-4382)NessusOracle Linux Local Security Checks
high
155122RHEL 8 : json-c (RHSA-2021:4382)NessusRed Hat Local Security Checks
high
155054CentOS 8 : json-c (CESA-2021:4382)NessusCentOS Local Security Checks
high
149782IBM MQ 9.1 LTS / 9.2 < 9.2.0.1 LTS / 9.2 < 9.2.1 CD RCE (6382922)NessusMisc.
high
146206pfSense 2.4.x < 2.4.5-p1 Multiple VulnerabilitiesNessusFirewalls
high
141647EulerOS Virtualization 3.0.2.2 : json-c (EulerOS-SA-2020-2189)NessusHuawei Local Security Checks
high
140851EulerOS 2.0 SP3 : json-c (EulerOS-SA-2020-2084)NessusHuawei Local Security Checks
high
140355EulerOS Virtualization for ARM 64 3.0.2.0 : json-c (EulerOS-SA-2020-1985)NessusHuawei Local Security Checks
high
139342Debian DSA-4741-1 : json-c - security updateNessusDebian Local Security Checks
high
139209Debian DLA-2301-1 : json-c security updateNessusDebian Local Security Checks
high
138054Amazon Linux AMI : json-c (ALAS-2020-1381)NessusAmazon Linux Local Security Checks
high
138044Amazon Linux 2 : json-c (ALAS-2020-1442)NessusAmazon Linux Local Security Checks
high
137952EulerOS Virtualization 3.0.6.0 : json-c (EulerOS-SA-2020-1733)NessusHuawei Local Security Checks
high
137812EulerOS Virtualization for ARM 64 3.0.6.0 : json-c (EulerOS-SA-2020-1705)NessusHuawei Local Security Checks
high
137522EulerOS 2.0 SP2 : json-c (EulerOS-SA-2020-1680)NessusHuawei Local Security Checks
high
137450GLSA-202006-13 : json-c: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
137320Photon OS 1.0: Json PHSA-2020-1.0-0298NessusPhotonOS Local Security Checks
high
137192Photon OS 2.0: Json PHSA-2020-2.0-0249NessusPhotonOS Local Security Checks
high
137023EulerOS 2.0 SP5 : json-c (EulerOS-SA-2020-1605)NessusHuawei Local Security Checks
high
136984Debian DLA-2228-2 : json-c regression updateNessusDebian Local Security Checks
high
136964Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : json-c vulnerability (USN-4360-4)NessusUbuntu Local Security Checks
high
136936Fedora 31 : json-c (2020-7eb7eac270)NessusFedora Local Security Checks
high
136860EulerOS 2.0 SP8 : json-c (EulerOS-SA-2020-1582)NessusHuawei Local Security Checks
high
136841Fedora 30 : json-c (2020-847ad856ab)NessusFedora Local Security Checks
high
136663Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : json-c vulnerability (USN-4360-1)NessusUbuntu Local Security Checks
high
136635FreeBSD : json-c -- integer overflow and out-of-bounds write via a large JSON file (abc3ef37-95d4-11ea-9004-25fadb81abf4)NessusFreeBSD Local Security Checks
high