CVE-2023-50246: jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c
6.2
CVSS
Description
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
Classification
CVE ID: CVE-2023-50246
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.2
Affected Products
Vendor: jqlang
Product: jq
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 5.1% (scored less or equal to compared to others)
EPSS Date: 2025-02-03 (when was this score calculated)
References
https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vchttps://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574
http://www.openwall.com/lists/oss-security/2023/12/15/10