CVE-2015-8863

9.8 CRITICAL

Published: May 06, 2016 Modified: May 06, 2026

Description

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2016-05/msg00012.html

Source: security@debian.org

http://lists.opensuse.org/opensuse-updates/2016-05/msg00014.html

Source: security@debian.org

http://rhn.redhat.com/errata/RHSA-2016-1098.html

Source: security@debian.org

http://rhn.redhat.com/errata/RHSA-2016-1099.html

Source: security@debian.org

http://rhn.redhat.com/errata/RHSA-2016-1106.html

Source: security@debian.org

http://www.openwall.com/lists/oss-security/2016/04/23/1

Source: security@debian.org

http://www.openwall.com/lists/oss-security/2016/04/23/2

Source: security@debian.org

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802231

Source: security@debian.org

https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd

Source: security@debian.org

Patch

https://github.com/stedolan/jq/issues/995

Source: security@debian.org

https://security.gentoo.org/glsa/201612-20

Source: security@debian.org

http://lists.opensuse.org/opensuse-updates/2016-05/msg00012.html