CVE-2020-12762

Summary

CVE	CVE-2020-12762
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-05-09 18:15:00 UTC
Updated	2023-11-07 03:15:00 UTC
Description	json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

Risk And Classification

Problem Types: CWE-787 | CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.10	All	All	All
Operating System	Canonical	Ubuntu Linux	20.04	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Application	Json-c	Json-c	All	All	All	All
Application	Json-c	Json-c	All	All	All	All
Application	Json-c Project	Json-c	All	All	All	All
Application	Siemens	Sinec Ins	-	All	All	All
Application	Siemens	Sinec Ins	1.0	-	All	All
Application	Siemens	Sinec Ins	1.0	sp1	All	All

References

Reference	Source	Link	Tags
[SECURITY] [DLA 2301-1] json-c security update	MLIST	lists.debian.org
Please check if affected by CVE-2020-12762 · Issue #161 · rsyslog/libfastjson · GitHub	MISC	github.com
[SECURITY] [DLA 3461-1] libfastjson security update	MLIST	lists.debian.org
[SECURITY] Fedora 32 Update: json-c-0.13.1-12.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 30 Update: json-c-0.13.1-12.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE-2020-12762 JSON-C Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 30 Update: json-c-0.13.1-12.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf	CONFIRM	cert-portal.siemens.com
json-c: Multiple vulnerabilities (GLSA 202006-13) — Gentoo security	GENTOO	security.gentoo.org
Prevent out of boundary write on malicious input by stoeckmann · Pull Request #592 · json-c/json-c · GitHub	CONFIRM	github.com	Exploit, Patch, Third Party Advisory
[SECURITY] Fedora 32 Update: json-c-0.13.1-12.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
USN-4360-4: json-c vulnerability \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
Debian -- Security Information -- DSA-4741-1 json-c	DEBIAN	www.debian.org
[SECURITY] Fedora 31 Update: json-c-0.13.1-12.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] [DLA 2228-2] json-c regression update	MLIST	lists.debian.org
[SECURITY] Fedora 31 Update: json-c-0.13.1-12.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
USN-4360-1: json-c vulnerability \| Ubuntu security notices	UBUNTU	usn.ubuntu.com
[SECURITY] [DLA 2228-1] json-c security update	MLIST	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159500 Oracle Enterprise Linux Security Update for json-c (ELSA-2021-4382)
161097 Oracle Enterprise Linux Security Update for libfastjson (ELSA-2023-6431)
161149 Oracle Enterprise Linux Security Update for libfastjson (ELSA-2023-6976)
239843 Red Hat Update for json-c (RHSA-2021:4382)
242315 Red Hat Update for libfastjson (RHSA-2023:6431)
242417 Red Hat Update for libfastjson (RHSA-2023:6976)
242798 Red Hat Update for libfastjson (RHSA-2024:0573)
242856 Red Hat Update for libfastjson (RHSA-2024:0411)
243006 Red Hat Update for libfastjson (RHSA-2024:1086)
243036 Red Hat Update for libfastjson (RHSA-2024:1154)
285315 Fedora Security Update for libfastjson (FEDORA-2023-bf3b135831)
355395 Amazon Linux Security Advisory for libfastjson : ALAS2-2023-2079
355406 Amazon Linux Security Advisory for libfastjson : ALAS2023-2023-205
355466 Amazon Linux Security Advisory for json-c : ALAS2023-2023-232
500271 Alpine Linux Security Update for json-c
502998 Alpine Linux Security Update for libfastjson
504035 Alpine Linux Security Update for json-c
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
6000157 Debian Security Update for libfastjson (DLA 3461-1)
673952 EulerOS Security Update for libfastjson (EulerOS-SA-2023-2649)
674018 EulerOS Security Update for libfastjson (EulerOS-SA-2023-2691)
751650 SUSE Enterprise Linux Security Update for json-c (SUSE-SU-2022:0184-1)
751660 OpenSUSE Security Update for json-c (openSUSE-SU-2022:0184-1)
751756 OpenSUSE Security Update for json-c (openSUSE-SU-2022:0184-2)
752541 SUSE Enterprise Linux Security Update for json-c (SUSE-SU-2022:3001-1)
900077 CBL-Mariner Linux Security Update for json-c 0.14
901250 Common Base Linux Mariner (CBL-Mariner) Security Update for json-c (6506-1)
902923 Common Base Linux Mariner (CBL-Mariner) Security Update for json-c (1949)
940230 AlmaLinux Security Update for json-c (ALSA-2021:4382)
941379 AlmaLinux Security Update for libfastjson (ALSA-2023:6431)
941452 AlmaLinux Security Update for libfastjson (ALSA-2023:6976)
960841 Rocky Linux Security Update for json-c (RLSA-2021:4382)