Jq
CVE-2023-50268
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
AnalysisAI
jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Buffer Copy without Size Check (CWE-120), which allows attackers to overflow a buffer to corrupt adjacent memory. jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue. Affected products include: Jqlang Jq. Version information: Version 1.7.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Always validate buffer sizes before copy operations. Use bounded functions (strncpy, snprintf). Enable compiler protections.
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which ha
Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (cras
jq is a command-line JSON processor. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no auth
The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and applicat
decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" inpu
jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ
Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attack
Out-of-bounds write in the jq command-line JSON processor (CWE-787) lets a crafted JSON input corrupt memory when parsed
jq, the command-line JSON processor, was patched in Alpine Linux with package version 1.8.2-r0. The specific vulnerabili
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() AP
jq on Alpine Linux was patched in package version 1.8.2-r0, addressing an unspecified vulnerability. The nature of the f
Buffer overflow in jq 1.8.1 and earlier allows local attackers to cause denial of service by providing a crafted JSON nu
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today