Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2015-8863

Published: 06/05/2016 Updated: 30/10/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 891
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Opensuse

Vulnerability Summary

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote malicious users to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

Vulnerable Product Search on Vulmon Subscribe to Product

opensuse opensuse 13.2

opensuse leap 42.1

jq project jq

Vendor Advisories

Debian CVElist Bug Report Logs: jq: CVE-2015-8863: Heap buffer overflow in tokenadd()
Debian Bug report logs - #802231 jq: CVE-2015-8863: Heap buffer overflow in tokenadd() Package: jq; Maintainer for jq is ChangZhuo Chen (陳昌倬) <czchen@debianorg>; Source for jq is src:jq (PTS, buildd, popcon) Reported by: Jakub Wilk <jwilk@debianorg> Date: Sun, 18 Oct 2015 16:06:02 UTC Severity: normal Tags: ...
Debian CVElist Bug Report Logs: jq: CVE-2016-4074: Stack exhaustion parsing a JSON file
Debian Bug report logs - #822456 jq: CVE-2016-4074: Stack exhaustion parsing a JSON file Package: src:jq; Maintainer for src:jq is ChangZhuo Chen (陳昌倬) <czchen@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 24 Apr 2016 17:27:02 UTC Severity: normal Tags: security, upstream Found ...
Amazon Linux AMI: ALAS-2016-705
A heap-based buffer overflow flaw was found in the tokenadd() function By tricking a victim into processing a specially crafted JSON file, an attacker could use this flaw to crash jq or, potentially, execute arbitrary code on the victim's system (CVE-2015-8863) ...
Red Hat: CVE-2015-8863
A heap-based buffer overflow flaw was found in jq's tokenadd() function By tricking a victim into processing a specially crafted JSON file, an attacker could use this flaw to crash jq or, potentially, execute arbitrary code on the victim's system ...

References

CWE-119https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802231http://www.openwall.com/lists/oss-security/2016/04/23/2http://lists.opensuse.org/opensuse-updates/2016-05/msg00012.htmlhttp://www.openwall.com/lists/oss-security/2016/04/23/1http://lists.opensuse.org/opensuse-updates/2016-05/msg00014.htmlhttps://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babdhttps://github.com/stedolan/jq/issues/995http://rhn.redhat.com/errata/RHSA-2016-1098.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1099.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1106.htmlhttps://security.gentoo.org/glsa/201612-20https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802231https://alas.aws.amazon.com/ALAS-2016-705.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook