CVE-2022-23459

19.08.2022, 19:15

Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Vendor	Product	Version
json\+\+_project	json\+\+	1.0.0
json\+\+_project	json\+\+	1.0.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-415 - Double Free
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References

https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx