CVE-2020-35380 — Panic due to improper input validation in Get in github.com/tidwall/gjson

Description

Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.

How to fix CVE-2020-35380

To remediate CVE-2020-35380, upgrade the affected package to a fixed version below.

Debian/golang-github-tidwall-gjson—upgrade to 1.6.7-1 or later
—upgrade to 1.6.4 or later
—upgrade to 1.6.4 or later

Is CVE-2020-35380 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.6.7-1
from 0, < 1.6.4
from 0, < 1.6.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-35380
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-35380
PATCHgithub.com/tidwall/gjson
WEBgithub.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc
WEB