Json
CVE-2020-7712
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 maven packages depend on org.webjars.npm:json (1 direct, 0 indirect)
- 10 npm packages depend on json (10 direct, 0 indirect)
Ecosystem-wide dependent count for version 9.0.6 and other introduced versions.
DescriptionNVD
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
AnalysisAI
This affects the package json before 10.0.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function. Affected products include: Joyent Json, Oracle Commerce Guided Search, Oracle Financial Services Crime And Compliance Management Studio, Oracle Financial Services Regulatory Reporting With Agilereporter, Oracle Timesten In-Memory Database. Version information: before 10.0.0..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. Rated critical severity (CVSS 9.8), this vulnerabil
JSON++ through 2016-06-15 has a buffer over-read in yyparse() in json.y. Rated critical severity (CVSS 9.8), this vulner
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. Rated high severity (CVSS 7.5), this vulnerability
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an
Heap buffer overflow in the Ruby JSON gem's streaming generator (versions 2.9.0-2.19.8) enables reliable process crash v
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today