CVE-2023-50268

low-risk
Published 2023-12-13

jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.2/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Jq

Affected Vendors

Jqlang

References (10)

Mailing List http://www.openwall.com/lists/oss-security/2023/12/15/10
Issue Tracking https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771
Patch https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
Issue Tracking https://github.com/jqlang/jq/pull/2804
Exploit https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
Mailing List http://www.openwall.com/lists/oss-security/2023/12/15/10
Issue Tracking https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771
Patch https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
Issue Tracking https://github.com/jqlang/jq/pull/2804
Exploit https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal