CVE-2020-12762 Information

Description

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file as demonstrated by printbuf_memappend.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/json-c/json-c/pull/592 https://github.com/rsyslog/libfastjson/issues/161 https://lists.debian.org/debian-lts-announce/2020/05/msg00032.html https://lists.debian.org/debian-lts-announce/2020/05/msg00034.html https://lists.debian.org/debian-lts-announce/2020/07/msg00031.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBR36IXYBHITAZFB5PFBJTED22WO5ONB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CQQRRGBQCAWNCCJ2HN3W5SSCZ4QGMXQI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W226TSCJBEOXDUFVKNWNH7ETG7AR6MCS/ https://security.gentoo.org/glsa/202006-13 https://usn.ubuntu.com/4360-1/ https://usn.ubuntu.com/4360-4/ https://www.debian.org/security/2020/dsa-4741

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8