{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23337", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.443Z", "datePublished": "2025-05-21T14:34:51.007Z", "dateUpdated": "2025-05-21T14:57:18.378Z"}, "containers": {"cna": {"title": "jq has signed integer overflow in jv.c:jvp_array_write", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46"}, {"name": "https://github.com/jqlang/jq/issues/3262", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/issues/3262"}, {"name": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "<= 1.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-21T14:34:51.007Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue."}], "source": {"advisory": "GHSA-2q6r-344g-cx46", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-21T14:57:14.962759Z", "id": "CVE-2024-23337", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T14:57:18.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23337", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-21T14:57:14.962759Z"}}}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T14:57:10.804Z"}}], "cna": {"title": "jq has signed integer overflow in jv.c:jvp_array_write", "source": {"advisory": "GHSA-2q6r-344g-cx46", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": "<= 1.7.1"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/issues/3262", "name": "https://github.com/jqlang/jq/issues/3262", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e", "name": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-21T14:34:51.007Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23337", "state": "PUBLISHED", "dateUpdated": "2025-05-21T14:57:18.378Z", "dateReserved": "2024-01-15T15:19:19.443Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-21T14:34:51.007Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4AFD89F-511E-4436-9D4F-28E33F0785DE", "versionEndIncluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue."}, {"lang": "es", "value": "jq es un procesador JSON de l\u00ednea de comandos. En versiones hasta la 1.7.1 (incluida), se produce un desbordamiento de entero al asignar un valor utilizando un \u00edndice de 2147483647, el l\u00edmite de enteros con signo. Esto provoca una denegaci\u00f3n de servicio. El commit de21386681c0df0104a99d9d09db23a9b2a78b1e contiene un parche para este problema."}], "id": "CVE-2024-23337", "lastModified": "2025-06-20T17:41:15.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-21T15:16:03.920", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/jqlang/jq/issues/3262"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jq: jq has signed integer overflow in jv.c:jvp_array_write", "id": "2367807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367807"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-190->CWE-125", "details": ["jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.", "A flaw was found in jq, a command line JSON processor. An integer overflow can occur when attempting to assign a value using an array index of 2147483647 or when creating an array with 2147483647 elements, the maximum value for a 32-bit signed integer. This issue causes out-of-bounds memory access and results in a denial of service."], "mitigation": {"lang": "en:us", "value": "Do not process untrusted input with the jq command line JSON processor."}, "name": "CVE-2024-23337", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-05-21T14:34:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23337\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23337\nhttps://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e\nhttps://github.com/jqlang/jq/issues/3262\nhttps://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46"], "statement": "To exploit this flaw, an attacker needs to trick a user into processing a specially crafted JSON input, allowing an attacker to trigger an integer overflow and cause a crash in jq with no other security impact. Due to these reasons, this flaw has been rated with a Moderate severity.", "threat_severity": "Moderate"}