CVE-2018-1000217

{"id": "CVE-2018-1000217", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-08-20T20:29:00.737", "references": [{"url": "https://github.com/DaveGamble/cJSON/issues/248", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/DaveGamble/cJSON/issues/248", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability in cJSON library that can result in Possible crash, corruption of data or even RCE. This attack appear to be exploitable via Depends on how application uses cJSON library. If application provides network interface then can be exploited over a network, otherwise just local.. This vulnerability appears to have been fixed in 1.7.4."}, {"lang": "es", "value": "Dave Gamble cJSON en versiones 1.7.3 y anteriores contiene una vulnerabilidad CWE-416: Uso de memoria previamente liberada en la librer\u00eda cJSON que puede resultar en un posible cierre inesperado, la corrupci\u00f3n de los datos o incluso un RCE. El ataque parece ser explotable dependiendo del uso que le da la aplicaci\u00f3n a la librer\u00eda cJSON. Si la aplicaci\u00f3n proporciona una interfaz de red, entonces se puede explotar a trav\u00e9s de la red. En caso contrario, se ejecutar\u00eda de manera local. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.7.4."}], "lastModified": "2025-07-22T18:17:45.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:davegamble:cjson:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "100CD60C-A820-4F44-A5CC-7546B02045AF", "versionEndExcluding": "1.7.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}