Improper Check for Unusual or Exceptional Conditions in cJSON

#VU35696 Improper Check for Unusual or Exceptional Conditions in cJSON

Published: 2019-07-19 | Updated: 2020-10-27

Vulnerability identifier: #VU35696

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1010239

CWE-ID: CWE-754

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cJSON
Universal components / Libraries / Libraries used by multiple products

Vendor: DaveGamble

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7.9 and later.

Mitigation
Install update from vendor's website.

Vulnerable software versions

cJSON: 1.7.8

External links
http://github.com/DaveGamble/cJSON/commit/be749d7efa7c9021da746e685bd6dec79f9dd99b
http://github.com/DaveGamble/cJSON/issues/315

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle TimesTen In-Memory Database

Improper Check for Unusual or Exceptional Conditions in DaveGamble cJSON