Vulnerability Description
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Joyent | Json | < 10.0.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Regulatory Reporting With Agilereporter | 8.0.9.6.3 |
| Oracle | Timesten In-Memory Database | < 21.1.1.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/trentm/json/issues/144ExploitThird Party Advisory
- https://github.com/trentm/json/pull/145PatchThird Party Advisory
- https://lists.apache.org/thread.html/r37c0e1807da7ff2bdd028bbe296465a6bbb99e2320
- https://lists.apache.org/thread.html/r3b04f4e99a19613f88ae088aa18cd271231a3c79df
- https://lists.apache.org/thread.html/r5f17bfca1d6e7f4b33ae978725b2fd62a9f1b31116
- https://lists.apache.org/thread.html/r8d2e174230f6d26e16c007546e804c343f1f68956f
- https://lists.apache.org/thread.html/r977a907ecbedf87ae5ba47d4c77639efb120f74d4d
- https://lists.apache.org/thread.html/r9c6d28e5b9a9b3481b7d1f90f1c2f75cd1a5ade910
- https://lists.apache.org/thread.html/ra890c24b3d90be36daf48ae76b263acb297003db24
- https://lists.apache.org/thread.html/rb023d54a46da1ac0d8969097f5fecc79636b07d3b8
- https://lists.apache.org/thread.html/rb2b981912446a74e14fe6076c4b7c7d8502727ea07
- https://lists.apache.org/thread.html/rb89bd82dffec49f83b49e9ad625b1b63a408b3c7d1
- https://lists.apache.org/thread.html/rba7ea4d75d6a8e5b935991d960d9b893fd30e576c4
- https://lists.apache.org/thread.html/rd9b9cc843f5cf5b532bdad9e87a817967efcf52b91
- https://lists.apache.org/thread.html/rec8bb4d637b04575da41cfae49118e108e95d43bfa
FAQ
What is CVE-2020-7712?
CVE-2020-7712 is a vulnerability with a CVSS score of 7.2 (HIGH). This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
How severe is CVE-2020-7712?
CVE-2020-7712 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7712?
Check the references section above for vendor advisories and patch information. Affected products include: Joyent Json, Oracle Commerce Guided Search, Oracle Financial Services Crime And Compliance Management Studio, Oracle Financial Services Regulatory Reporting With Agilereporter, Oracle Timesten In-Memory Database.