Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-48060

Опубликовано: 21 мая 2025
Источник: redhat
CVSS3: 5.5
EPSS Низкий

Описание

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function jv_string_vfmt in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 void* p = malloc(sz);. As of time of publication, no patched versions are available.

A flaw was found in jq, a command line JSON processor. A specially crafted input can cause a heap-based buffer over-read when formatting an empty string because it was not properly null-terminated, causing a crash and resulting in a denial of service.

Отчет

To exploit this flaw, an attacker needs to trick a user into processing a specially crafted JSON input, allowing an attacker to trigger a buffer over-read of 2 bytes and cause a crash in jq with no other security impact. Due to these reasons, this flaw has been rated with a Moderate severity. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-126: Buffer Over-read vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Memory access boundaries are enforced through secure coding practices, including bounds checking and automated detection of over-read conditions during development. Static analysis and peer reviews catch improper memory handling early, reducing the risk of vulnerabilities reaching production. Memory protection mechanisms restrict access to allocated regions at runtime, and process isolation contains memory faults within the affected workload. Additionally, a defense-in-depth monitoring strategy supports real-time detection of anomalous memory activity, enabling rapid response and limiting potential impact.

Меры по смягчению последствий

Do not process untrusted input with the jq command line JSON processor.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2automation-controllerAffected
Red Hat Ceph Storage 4jqAffected
Red Hat Enterprise Linux 10jqFixedRHSA-2025:1288205.08.2025
Red Hat Enterprise Linux 8jqFixedRHSA-2025:1061808.07.2025
Red Hat Enterprise Linux 8.2 Advanced Update SupportjqFixedRHSA-2025:1062208.07.2025
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportjqFixedRHSA-2025:1062108.07.2025
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportjqFixedRHSA-2025:1062008.07.2025
Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-OnjqFixedRHSA-2025:1062008.07.2025
Red Hat Enterprise Linux 8.6 Telecommunications Update ServicejqFixedRHSA-2025:1062008.07.2025
Red Hat Enterprise Linux 8.6 Update Services for SAP SolutionsjqFixedRHSA-2025:1062008.07.2025

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-126
https://bugzilla.redhat.com/show_bug.cgi?id=2367842jq: AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)

EPSS

Процентиль: 25%
0.00081
Низкий

5.5 Medium

CVSS3

Связанные уязвимости

CVSS3: 7.5
ubuntu
3 месяца назад

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

CVSS3: 7.5
nvd
3 месяца назад

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

CVSS3: 7.5
msrc
9 дней назад

Описание отсутствует

CVSS3: 7.5
debian
3 месяца назад

jq is a command-line JSON processor. In versions up to and including 1 ...

CVSS3: 7.5
fstec
3 месяца назад

Уязвимость функции jv_string_vfmt функционального языка программирования jq, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 25%
0.00081
Низкий

5.5 Medium

CVSS3