Security - CVE-2020-10675 #258

satish-suradkar · 2023-01-17T05:59:39Z

jsonparserv1.1.1 has a critical vulnerability found CVE-2020-10675

The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.

The text was updated successfully, but these errors were encountered:

milosonator · 2023-01-25T09:06:01Z

As far as I can tell, this was fixed with #192 ; and released in https://github.com/buger/jsonparser/releases/tag/v1.0.0 .

buger · 2023-01-25T15:51:45Z

That's very interesting, I wonder what are the details of this issue 🤔

buger · 2023-01-25T15:54:34Z

So here is what fixed the issue #188, @milosonator is right.

I wonder how to remove this CVE from databases 🤔

buger · 2023-01-25T15:55:20Z

Github, for example, mark it as fixed in 1.0.0 GHSA-rmh2-65xw-9m6q

acusworth · 2023-04-04T15:48:59Z

@buger Looks like the CPE on the vulnerability may be too inclusive and would flag for all versions. Blackduck (the tool in the screenshot) uses CPEs to determine what is the affected versions.
I would suggest sending an email to cpe_dictionary@nist.gov explaining which are the affected versions and see if they can correct the CPE listings.
For reference, this CPE may be the offending line: https://nvd.nist.gov/products/cpe/detail/A1B3E5D2-E98F-43ED-BC65-7BE620410A36?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Ajsonparser_project%3Ajsonparser%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED

satish-suradkar mentioned this issue Jan 17, 2023

Dependent package has critical vulnerability flowstack/go-jsonschema#2

Closed

Provide feedback