ALT-PU-2016-1749-1
Closed vulnerabilities
Published: 2016-09-26
Modified: 2025-01-15
Modified: 2025-01-15
CVE-2016-4303
The parse_string function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://blog.talosintel.com/2016/06/esnet-vulnerability.html
- http://blog.talosintel.com/2016/06/esnet-vulnerability.html
- openSUSE-SU-2016:2113
- openSUSE-SU-2016:2113
- openSUSE-SU-2016:2121
- openSUSE-SU-2016:2121
- http://software.es.net/iperf/news.html#security-issue-iperf-3-1-3-iperf-3-0-12-released
- http://software.es.net/iperf/news.html#security-issue-iperf-3-1-3-iperf-3-0-12-released
- http://www.talosintelligence.com/reports/TALOS-2016-0164/
- http://www.talosintelligence.com/reports/TALOS-2016-0164/
- https://github.com/esnet/iperf/commit/91f2fa59e8ed80dfbf400add0164ee0e508e412a
- https://github.com/esnet/iperf/commit/91f2fa59e8ed80dfbf400add0164ee0e508e412a
- [debian-lts-announce] 20200127 [SECURITY] [DLA 2080-1] iperf3 security update
- [debian-lts-announce] 20200127 [SECURITY] [DLA 2080-1] iperf3 security update
- https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc
- https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc