#VU31230 Use-after-free in cJSON - CVE-2018-1000217

Cybersecurity Help s.r.o.

Published: 2018-08-20 | Updated: 2020-07-17

Vulnerability identifier: #VU31230

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-1000217

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cJSON
Universal components / Libraries / Libraries used by multiple products

Vendor: DaveGamble

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability in cJSON library that can result in Possible crash, corruption of data or even RCE. This attack appear to be exploitable via Depends on how application uses cJSON library. If application provides network interface then can be exploited over a network, otherwise just local.. This vulnerability appears to have been fixed in 1.7.4.

Mitigation
Install update from vendor's website.

Vulnerable software versions

cJSON: 1.7.0 - 1.7.3

External links
https://github.com/DaveGamble/cJSON/issues/248

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Use-after-free in DaveGamble cJSON