cJSON vulnerabilities found, API design which use in-memory data structure store, used as a database, cache and message broker solution must staying alert. (May 2019)

Preface: Lua is a powerful, fast, lightweight, embeddable scripting language. So it can work with Geospatial data perfectly.

Technical background: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. In order to achieve its outstanding performance, Redis contains different functions.The Redis Lua interpreter loads seven libraries: base, table, string, math, debug, cjson, and cmsgpack. From performance point of view, CJSON library provides extremely fast JSON manipulation within Lua.

Vulnerability details:

CVE-2019-11834 : cJSON Multiline Comments Out-of-Bounds Access Vulnerability (allowing the attacker to compromise the system completely)
CVE-2019-11835: cJSON Out-of-Bounds Access Vulnerability (allowing the attacker to compromise the system completely)

Remediation: The vendor has released software updates at the following link – https://github.com/DaveGamble/cJSON/releases

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.