CVE-2018-1000217

Published: Aug 20, 2018Modified: Jul 22, 2025

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability in cJSON library that can result in Possible crash, corruption of data or even RCE. This attack appear to be exploitable via Depends on how application uses cJSON library. If application provides network interface then can be exploited over a network, otherwise just local.. This vulnerability appears to have been fixed in 1.7.4.

Affected (1)

Products: Davegamble: Cjson

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Davegamble Cjson	Before 1.7.4

Related CWEs

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (2)

https://github.com/DaveGamble/cJSON/issues/248

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/DaveGamble/cJSON/issues/248

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.