jsonparser icon indicating copy to clipboard operation
jsonparser copied to clipboard

Published 20 hours ago verified publisher icon buger

Security - CVE-2020-10675

Open satish-suradkar opened this issue 2 years ago • 5 comments

jsonparserv1.1.1 has a critical vulnerability found CVE-2020-10675

The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.

Screenshot 2023-01-17 at 11 27 26 AM

satish-suradkar avatar Jan 17 '23 05:01 satish-suradkar

As far as I can tell, this was fixed with https://github.com/buger/jsonparser/pull/192 ; and released in https://github.com/buger/jsonparser/releases/tag/v1.0.0 .

milosonator avatar Jan 25 '23 09:01 milosonator

That's very interesting, I wonder what are the details of this issue 🤔

1.1.1 had fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35381, but that's one different.

buger avatar Jan 25 '23 15:01 buger

So here is what fixed the issue https://github.com/buger/jsonparser/issues/188, @milosonator is right.

I wonder how to remove this CVE from databases 🤔

buger avatar Jan 25 '23 15:01 buger

Github, for example, mark it as fixed in 1.0.0 https://github.com/advisories/GHSA-rmh2-65xw-9m6q

buger avatar Jan 25 '23 15:01 buger

@buger Looks like the CPE on the vulnerability may be too inclusive and would flag for all versions. Blackduck (the tool in the screenshot) uses CPEs to determine what is the affected versions. I would suggest sending an email to [email protected] explaining which are the affected versions and see if they can correct the CPE listings. For reference, this CPE may be the offending line: https://nvd.nist.gov/products/cpe/detail/A1B3E5D2-E98F-43ED-BC65-7BE620410A36?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Ajsonparser_project%3Ajsonparser%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED

acusworth avatar Apr 04 '23 15:04 acusworth