CVE-2024-23337

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e	Patch
https://github.com/jqlang/jq/issues/3262	Exploit Issue Tracking
https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46	Exploit Vendor Advisory
https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*

History

20 Jun 2025, 17:41

Type	Values Removed	Values Added
First Time		Jqlang Jqlang jq
References	~~() https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e -~~	() https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e - Patch
References	~~() https://github.com/jqlang/jq/issues/3262 -~~	() https://github.com/jqlang/jq/issues/3262 - Exploit, Issue Tracking
References	~~() https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46 -~~	() https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:jqlang:jq::::::::
Summary		(es) jq es un procesador JSON de línea de comandos. En versiones hasta la 1.7.1 (incluida), se produce un desbordamiento de entero al asignar un valor utilizando un índice de 2147483647, el límite de enteros con signo. Esto provoca una denegación de servicio. El commit de21386681c0df0104a99d9d09db23a9b2a78b1e contiene un parche para este problema.

21 May 2025, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 15:16

Updated : 2025-06-20 17:41

NVD link : CVE-2024-23337

Mitre link : CVE-2024-23337

CVE.ORG link : CVE-2024-23337

JSON object : View

Products Affected

jqlang

jq

CWE

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2024-23337", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-05-21T15:16:03.920", "references": [{"url": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jqlang/jq/issues/3262", "tags": ["Exploit", "Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue."}, {"lang": "es", "value": "jq es un procesador JSON de l\u00ednea de comandos. En versiones hasta la 1.7.1 (incluida), se produce un desbordamiento de entero al asignar un valor utilizando un \u00edndice de 2147483647, el l\u00edmite de enteros con signo. Esto provoca una denegaci\u00f3n de servicio. El commit de21386681c0df0104a99d9d09db23a9b2a78b1e contiene un parche para este problema."}], "lastModified": "2025-06-20T17:41:15.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C4AFD89F-511E-4436-9D4F-28E33F0785DE", "versionEndIncluding": "1.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}