Описание
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
A vulnerability has been identified in the jq JSON processor where malformed JSON input containing invalid Unicode escape sequences can trigger an assertion failure in the test suite’s parsing consistency checks. This flaw arises from inconsistencies between expected and reparsed JSON values during serialization and deserialization, potentially allowing an attacker to exploit the issue by supplying specially crafted JSON data to cause abnormal termination or denial of service during test execution, highlighting weaknesses in jq’s parsing reliability.
Отчет
This vulnerability is limited to jq’s internal test framework and does not affect jq’s core functionality in production use. Exploitation requires supplying malformed JSON with invalid Unicode escape sequences during test execution, which can trigger an assertion failure and abnormal termination of the test suite. The issue is rated Low severity as it only causes test crashes in debug or development environments, without exposing sensitive data, compromising system integrity, or affecting jq’s normal JSON processing in production.
Меры по смягчению последствий
No action is required for production users, as the vulnerability only affects jq’s internal test framework and does not impact its core JSON processing functionality. Standard deployments of jq remain unaffected. Developers and testers are advised to avoid running the test suite with untrusted or malformed JSON input until a fix is applied.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | automation-controller | Fix deferred | ||
| Red Hat Ceph Storage 4 | jq | Fix deferred | ||
| Red Hat Enterprise Linux 10 | jq | Fix deferred | ||
| Red Hat Enterprise Linux 8 | jq | Out of support scope | ||
| Red Hat Enterprise Linux 9 | jq | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred | ||
| Red Hat Trusted Application Pipeline | rhtap-cli/rhtap-cli-rhel9 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.3 Low
CVSS3
Связанные уязвимости
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the ...
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.
EPSS
3.3 Low
CVSS3