Skip to main content

Jq CVE-2023-49355

HIGH
Out-of-bounds Write (CWE-787)
2023-12-11 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 11, 2023 - 07:15 nvd
HIGH 7.5

DescriptionNVD

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation.

AnalysisAI

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input. NOTE: this is not the same as CVE-2023-50246. The CVE-2023-50246 71c2ab5 reference mentions -10E-1000010001, which is not in normalized scientific notation. Affected products include: Jqlang Jq.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).

More in Jq

View all
CVE-2024-53427 HIGH POC
8.1 Feb 26

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which ha

CVE-2015-8863 CRITICAL
9.8 May 06

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (cras

CVE-2025-48060 HIGH POC
7.7 May 21

jq is a command-line JSON processor. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no auth

CVE-2016-4074 HIGH POC
7.5 May 06

The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and applicat

CVE-2023-50268 MEDIUM POC
5.5 Dec 13

jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ

CVE-2023-50246 MEDIUM POC
5.5 Dec 13

jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ

CVE-2026-32316 HIGH
8.2 Apr 13

Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attack

CVE-2026-49839 HIGH
7.1

Out-of-bounds write in the jq command-line JSON processor (CWE-787) lets a crafted JSON input corrupt memory when parsed

CVE-2026-54679 MEDIUM
6.9

jq, the command-line JSON processor, was patched in Alpine Linux with package version 1.8.2-r0. The specific vulnerabili

CVE-2026-39979 MEDIUM
6.9 Apr 13

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() AP

CVE-2026-47770 MEDIUM
6.8

jq on Alpine Linux was patched in package version 1.8.2-r0, addressing an unspecified vulnerability. The nature of the f

CVE-2026-43894 MEDIUM
6.2 May 11

Buffer overflow in jq 1.8.1 and earlier allows local attackers to cause denial of service by providing a crafted JSON nu

Share

CVE-2023-49355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy