{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-04-24T00:00:00", "descriptions": [{"lang": "en", "value": "The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-04T15:48:58", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20160424 Re: CVE Request: jq: stack exhaustion using jv_dump_term() function", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/stedolan/jq/issues/1136"}, {"name": "[oss-security] 20160424 CVE Request: jq: stack exhaustion using jv_dump_term() function", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/stedolan/jq/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/NixOS/nixpkgs/pull/18908"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hashicorp/consul/issues/10263"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4074", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20160424 Re: CVE Request: jq: stack exhaustion using jv_dump_term() function", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/24/4"}, {"name": "https://github.com/stedolan/jq/issues/1136", "refsource": "MISC", "url": "https://github.com/stedolan/jq/issues/1136"}, {"name": "[oss-security] 20160424 CVE Request: jq: stack exhaustion using jv_dump_term() function", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/24/3"}, {"name": "https://github.com/stedolan/jq/", "refsource": "MISC", "url": "https://github.com/stedolan/jq/"}, {"name": "https://github.com/NixOS/nixpkgs/pull/18908", "refsource": "MISC", "url": "https://github.com/NixOS/nixpkgs/pull/18908"}, {"name": "https://github.com/hashicorp/consul/issues/10263", "refsource": "MISC", "url": "https://github.com/hashicorp/consul/issues/10263"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:17:30.898Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20160424 Re: CVE Request: jq: stack exhaustion using jv_dump_term() function", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stedolan/jq/issues/1136"}, {"name": "[oss-security] 20160424 CVE Request: jq: stack exhaustion using jv_dump_term() function", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stedolan/jq/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/NixOS/nixpkgs/pull/18908"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hashicorp/consul/issues/10263"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4074", "datePublished": "2016-05-06T17:00:00", "dateReserved": "2016-04-24T00:00:00", "dateUpdated": "2024-08-06T00:17:30.898Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jq_project:jq:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF54817B-2574-48EC-AB56-D080733E0C2D", "versionEndIncluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0."}, {"lang": "es", "value": "La funci\u00f3n jv_dump_term de jq 1.5 permite a los atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de pila y ca\u00edda de la aplicaci\u00f3n) a trav\u00e9s de un archivo JSON manipulado. Este problema ha sido corregido en jg 1.6_rc1-r0"}], "id": "CVE-2016-4074", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-05-06T17:59:07.303", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/3"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/4"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/NixOS/nixpkgs/pull/18908"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/hashicorp/consul/issues/10263"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/stedolan/jq/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/stedolan/jq/issues/1136"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/04/24/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/NixOS/nixpkgs/pull/18908"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/hashicorp/consul/issues/10263"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/stedolan/jq/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/stedolan/jq/issues/1136"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jq: stack exhaustion via jv_dump_term() function", "id": "1329982", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1329982"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-400", "details": ["The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0."], "name": "CVE-2016-4074", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Will not fix", "package_name": "jq", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Will not fix", "package_name": "jq", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "jq", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "jq", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-4074\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4074"], "statement": "Because this vulnerability requires that an unsuspecting user parses a specially crafted malicious JSON file, or that a service that does so accepts untrusted input, and because the consequences of this flaw are limited to exhaustion of the resources available to the user with whose privileges jq parses the malicious file, Red Hat assesses this vulnerability's impact as Low.", "threat_severity": "Low"}