Vulnerability Report: GO-2021-0076

CVE-2018-14632, GHSA-gxhv-3hwf-wjp9
Affects: github.com/evanphx/json-patch
Published: Apr 14, 2021
Modified: Jun 12, 2023

A malicious JSON patch can cause a panic due to an out-of-bounds write attempt. This can be used as a denial of service vector if exposed to arbitrary user input.

Affected Packages

Path

Versions

Symbols
github.com/evanphx/json-patch

before v0.5.2, from v3.0.0+incompatible before v3.0.1-0.20180525145409-4c9aadca8f89+incompatible
- Patch.Apply
- Patch.ApplyIndent

Aliases

CVE-2018-14632
GHSA-gxhv-3hwf-wjp9

References

https://github.com/evanphx/json-patch/pull/57
https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03
https://vuln.go.dev/ID/GO-2021-0076.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL