{"id":"CVE-2023-50246","summary":"jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c","details":"jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.","aliases":["GHSA-686w-5m7m-54vc"],"modified":"2026-04-12T06:45:01.010436Z","published":"2023-12-13T20:43:50.862Z","related":["openSUSE-SU-2024:13521-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50246.json","cwe_ids":["CWE-120","CWE-122"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/12/15/10"},{"type":"WEB","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50246.json"},{"type":"ADVISORY","url":"https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50246"},{"type":"FIX","url":"https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jqlang/jq","events":[{"introduced":"0"},{"fixed":"71c2ab509a8628dbbad4bc7b3f98a64aa90d3297"}]}],"versions":["1.6rc2","jq-1.0","jq-1.1","jq-1.2","jq-1.3","jq-1.4","jq-1.5rc1","jq-1.5rc2","jq-1.6","jq-1.6rc1","jq-1.7","jq-1.7rc1","jq-1.7rc2"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297","deprecated":false,"target":{"file":"src/jv.c"},"digest":{"threshold":0.9,"line_hashes":["290417494101508184750408009799882806556","260357342676783968016454112326919417947","226374140861562014448004111780551132909","38258572163093176609235064461151454765"]},"id":"CVE-2023-50246-3a1c0ce4","signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297","deprecated":false,"target":{"file":"src/jv.c","function":"jvp_literal_number_literal"},"digest":{"length":464,"function_hash":"313161530875538920114687879794730925876"},"id":"CVE-2023-50246-fe6c4298","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50246.json","vanir_signatures_modified":"2026-04-12T06:45:01Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}