CVE-2018-14632 — Out-of-bounds write in github.com/evanphx/json-patch

Description

A malicious JSON patch can cause a panic due to an out-of-bounds write attempt. This can be used as a denial of service vector if exposed to arbitrary user input.

How to fix CVE-2018-14632

To remediate CVE-2018-14632, upgrade the affected package to a fixed version below.

Go/github.com/evanphx/json-patch—upgrade to 0.5.2 or later
—upgrade to 0.5.2 or later

Is CVE-2018-14632 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.5.2
from 0, < 0.5.2, >= 3.0.0+incompatible, < 3.0.1-0.20180525145409-4c9aadca8f89+incompatible

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-14632
PATCHgithub.com/evanphx/json-patch
WEBaccess.redhat.com/errata/RHBA-2018:2652
WEBaccess.redhat.com/errata/RHSA-2018:2654
WEBaccess.redhat.com