CVE-2020-7712

moderate-risk

Published 2020-08-30

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

Do I need to act?

-

0.53% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

7

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (6)

Json

Commerce Guided Search

Financial Services Crime And Compliance Management Studio

Financial Services Crime And Compliance Management Studio

Financial Services Regulatory Reporting With Agilereporter

Timesten In-Memory Database

Affected Vendors

Oracle Joyent

References (44)

Exploit https://github.com/trentm/json/issues/144

Patch https://github.com/trentm/json/pull/145

https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320...

https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79df...

https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b31116...

https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f...

https://lists.apache.org/thread.html/r977a907ecbedf87ae5ba47d4c77639efb120f74d4d...

https://lists.apache.org/thread.html/r9c6d28e5b9a9b3481b7d1f90f1c2f75cd1a5ade910...

https://lists.apache.org/thread.html/ra890c24b3d90be36daf48ae76b263acb297003db24...

https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b8...

https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea07...

https://lists.apache.org/thread.html/rb89bd82dffec49f83b49e9ad625b1b63a408b3c7d1...

https://lists.apache.org/thread.html/rba7ea4d75d6a8e5b935991d960d9b893fd30e576c4...

https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b91...

https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfa...

https://lists.apache.org/thread.html/ree3abcd33c06ee95ab59faa1751198a1186d8941dd...

Broken Link https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-608932

Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-608931

Exploit https://snyk.io/vuln/SNYK-JS-JSON-597481

Patch https://www.oracle.com//security-alerts/cpujul2021.html

and 24 more references

41

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 13/34 · Low