Tobias Stoeckmann found an integer overflow issue in JSON-C, a C library to manipulate JSON objects, when reading maliciously crafted large files. The issue could be exploited to cause denial of service or possibly execute arbitrary code.

For Debian 9 stretch, this problem has been fixed in version 0.12.1-1.1+deb9u1.

We recommend that you upgrade your json-c packages.

For the detailed security status of json-c please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/json-c

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3461 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3461-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                    Thorsten Alteholz     June 20, 2023                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : libfastjson     Version        : 0.99.8-2+deb10u1     CVE ID         : CVE-2020-12762


    An issue has been found in libfastjson, a fast json library for C.
    Due to missing checks, out-of-bounds write might happen when parsing     large JSON files.



    For Debian 10 buster, this problem has been fixed in version     0.99.8-2+deb10u1.

    We recommend that you upgrade your libfastjson packages.

    For the detailed security status of libfastjson please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libfastjson

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2022:0184-1 advisory.

  - json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated     by printbuf_memappend. (CVE-2020-12762)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2022:0184-2 advisory.

  - json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated     by printbuf_memappend. (CVE-2020-12762)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:1846-1 advisory.

    - CVE-2020-12762: Fixed integer overflow and out-of-bounds write via a large JSON file (bsc#1171479).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1154 advisory.

    The libfastjson library provides essential JavaScript Object Notation (JSON) handling functions. The     library enables users to construct JSON objects in C, output them as JSON-formatted strings, and convert     JSON-formatted strings back to the C representation of JSON objects.

    Security Fix(es):

    * json-c, libfastjson: integer overflow and out-of-bounds write via a large JSON file (CVE-2020-12762)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-6431 advisory.

    [0.99.9-5]
    - Rebuild     Resolves: rhbz#2227786

    [0.99.9-4]
    - Address CVE-2020-12762     Resolves: rhbz#2203172

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated     by printbuf_memappend. (CVE-2020-12762)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Published	Updated	Severity
139209	Debian DLA-2301-1 : json-c security update	Nessus	Debian Local Security Checks	7/31/2020	2/27/2024	high
177513	Debian dla-3461 : libfastjson-dev - security update	Nessus	Debian Local Security Checks	6/22/2023	1/22/2025	high
157084	openSUSE 15 Security Update : json-c (openSUSE-SU-2022:0184-1)	Nessus	SuSE Local Security Checks	1/26/2022	11/17/2023	high
158156	SUSE SLES15 Security Update : json-c (SUSE-SU-2022:0184-2)	Nessus	SuSE Local Security Checks	2/18/2022	7/13/2023	high
198129	SUSE SLES12 Security Update : libfastjson (SUSE-SU-2024:1846-1)	Nessus	SuSE Local Security Checks	5/30/2024	5/30/2024	high
191588	RHEL 9 : libfastjson (RHSA-2024:1154)	Nessus	Red Hat Local Security Checks	3/5/2024	11/7/2024	high
185871	Oracle Linux 9 : libfastjson (ELSA-2023-6431)	Nessus	Oracle Linux Local Security Checks	11/16/2023	11/2/2024	high
223335	Linux Distros Unpatched Vulnerability : CVE-2020-12762	Nessus	Misc.	3/4/2025	3/4/2025	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high