CVE-2016-4425
medium
CVSS v3
6.5
CVSS v2
5.0
VIR risk
6.5
Description
Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data.
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-4425
Vendor advisory: cve@mitre.org — https://github.com/akheron/jansson/pull/284
Vendor advisory: cve@mitre.org — https://github.com/akheron/jansson/issues/282
Vendor advisory: arch — https://security.archlinux.org/ASA-201609-17
Vendor advisory: arch — https://security.archlinux.org/ASA-201609-15
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-4425.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| arch | fixed | 2.8-1 | |
| debian | bookworm | fixed | 2.7-5 |
| debian | bullseye | fixed | 2.7-5 |
| debian | forky | fixed | 2.7-5 |
| debian | sid | fixed | 2.7-5 |
| debian | trixie | fixed | 2.7-5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| jansson_project | jansson | {"endIncluding":"2.7"} | |
References
- https://www.suse.com/security/cve/CVE-2016-4425.html
- https://security.archlinux.org/ASA-201609-15
- https://security.archlinux.org/ASA-201609-17
- http://www.debian.org/security/2015/dsa-3577
- http://www.openwall.com/lists/oss-security/2016/05/01/5
- http://www.openwall.com/lists/oss-security/2016/05/02/1
- http://www.openwall.com/lists/oss-security/2016/05/03/3
- https://github.com/akheron/jansson/issues/282
- https://github.com/akheron/jansson/pull/284
- https://github.com/akheron/jansson/pull/284/commits/64ce0ad3731ebd77e02897b07920eadd0e2cc318
- https://security-tracker.debian.org/tracker/CVE-2016-4425
CWEs
CWE-20 CWE-674
Verify integrity in audit chain (admin only). AS-IS.