Jansson, possibly 2.4 and earlier, does not restrict the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted JSON document.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| jansson_project | jansson | 2.0 |
| jansson_project | jansson | 2.2 |
| jansson_project | jansson | 2.3 |
| jansson_project | jansson | * |
| jansson_project | jansson | 2.2.1 |
| jansson_project | jansson | 2.1 |
| jansson_project | jansson | 2.0.1 |
| jansson_project | jansson | 2.3.1 |
Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-674,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| jansson_project | jansson | * |
An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| jansson_project | jansson | * |