NVD Vulnerability Detail

CVE-2014-4616

Summary	Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
Publication Date	Aug. 25, 2017, 5:29 a.m.
Registration Date	Jan. 26, 2021, 3:13 p.m.
Last Update	Nov. 21, 2024, 11:10 a.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:simplejson_project:simplejson::::::python::*					2.6.1

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:opensuse_project:opensuse:12.3:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://bugs.python.org/issue21529	Issue Tracking Vendor Advisory
2	http://bugs.python.org/issue21529	Issue Tracking Vendor Advisory
3	http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html	Mailing List Third Party Advisory
4	http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html	Mailing List Third Party Advisory
5	http://openwall.com/lists/oss-security/2014/06/24/7	Mailing List Third Party Advisory
6	http://openwall.com/lists/oss-security/2014/06/24/7	Mailing List Third Party Advisory
7	http://rhn.redhat.com/errata/RHSA-2015-1064.html	Third Party Advisory
8	http://rhn.redhat.com/errata/RHSA-2015-1064.html	Third Party Advisory
9	http://www.securityfocus.com/bid/68119	Third Party Advisory VDB Entry
10	http://www.securityfocus.com/bid/68119	Third Party Advisory VDB Entry
11	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395	Issue Tracking Mailing List Third Party Advisory
12	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395	Issue Tracking Mailing List Third Party Advisory
13	https://bugzilla.redhat.com/show_bug.cgi?id=1112285	Issue Tracking Patch Third Party Advisory
14	https://bugzilla.redhat.com/show_bug.cgi?id=1112285	Issue Tracking Patch Third Party Advisory
15	https://hackerone.com/reports/12297	Exploit Patch Third Party Advisory
16	https://hackerone.com/reports/12297	Exploit Patch Third Party Advisory
17	https://security.gentoo.org/glsa/201503-10	Patch Third Party Advisory VDB Entry
18	https://security.gentoo.org/glsa/201503-10	Patch Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-129	配列インデックスの不適切な検証	https://cwe.mitre.org/data/definitions/129.html

JVN Vulnerability Information

Python および simplejson におけるバッファエラーの脆弱性

Title	Python および simplejson におけるバッファエラーの脆弱性
Summary	Python および simplejson には、バッファエラーの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 19, 2014, midnight
Registration Date	Sept. 27, 2017, 3:13 p.m.
Last Update	Sept. 27, 2017, 3:13 p.m.

Affected System

Python Software Foundation

Python 2.7 から 3.5

simplejson 2.6.1 未満

openSUSE project

openSUSE 12.3

openSUSE 13.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-4616	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616
National Vulnerability Database (NVD)
2	CVE-2014-4616	https://nvd.nist.gov/vuln/detail/CVE-2014-4616

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
opensuse-updates
1	openSUSE-SU-2014:0890	https://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html
Python bug tracker
2	Issue21529	https://bugs.python.org/issue21529
Red Hat Bugzilla
3	Bug 1112285	https://bugzilla.redhat.com/show_bug.cgi?id=1112285

Change Log

No	Changed Details	Date of change
0	[2017年09月27日] 掲載	Feb. 17, 2018, 10:37 a.m.