Security - CVE-2020-10675

[satish-suradkar]

jsonparserv1.1.1 has a critical vulnerability found CVE-2020-10675

The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.

[milosonator]

As far as I can tell, this was fixed with #192 ; and released in https://github.com/buger/jsonparser/releases/tag/v1.0.0 .

[buger]

That's very interesting, I wonder what are the details of this issue 🤔

1.1.1 had fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35381, but that's one different.

[buger]

So here is what fixed the issue #188, @milosonator is right.

I wonder how to remove this CVE from databases 🤔

[buger]

Github, for example, mark it as fixed in 1.0.0 GHSA-rmh2-65xw-9m6q

[acusworth]

@buger Looks like the CPE on the vulnerability may be too inclusive and would flag for all versions. Blackduck (the tool in the screenshot) uses CPEs to determine what is the affected versions.
I would suggest sending an email to [email protected] explaining which are the affected versions and see if they can correct the CPE listings.
For reference, this CPE may be the offending line: https://nvd.nist.gov/products/cpe/detail/A1B3E5D2-E98F-43ED-BC65-7BE620410A36?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Ajsonparser_project%3Ajsonparser%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED