jsonlint 1.0 is vulnerable to heap-buffer-overflow via /home/hjsz/jsonlint/src/lexer.

Hi, developers of jsonlint.  
I fuzz the jsonlint with AFL,and some crashes incurred—heap-buffer-overflow.The following is the details.  
**Commond: ./jsonlint input**

**Bug**

\=1492403==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000df at pc 0x000000508ea7 bp 0x7ffc32b00ef0 sp 0x7ffc32b00ee8  
READ of size 1 at 0x60e0000000df thread T0  
#0 0x508ea6 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool) /home/hjsz/jsonlint/src/lexer.cpp:18:15  
#1 0x509c58 in jsonlint::details::PeekCharacterabi:cxx11 /home/hjsz/jsonlint/src/lexer.cpp:27:52  
#2 0x509c58 in jsonlint::details::ReadString(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:48:12  
#3 0x512b99 in jsonlint::Tokenize(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:256:26  
#4 0x4cb5b1 in main /home/hjsz/jsonlint/src/main.cpp:26:21  
#5 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#6 0x41fced in \_start (/home/hjsz/jsonlint/build/jsonlint+0x41fced)

0x60e0000000df is located 0 bytes to the right of 159-byte region \[0x60e000000040,0x60e0000000df)  
allocated by thread T0 here:  
#0 0x4c7b9d in operator new(unsigned long) (/home/hjsz/jsonlint/build/jsonlint+0x4c7b9d)  
#1 0x52d49c in void std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >::\_M\_construct<char\*>(char\*, char\*, std::forward\_iterator\_tag) /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/basic\_string.tcc:219:14  
#2 0x4cb40f in main /home/hjsz/jsonlint/src/main.cpp:25:19  
#3 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/jsonlint/src/lexer.cpp:18:15 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool)  
Shadow bytes around the buggy address:  
0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00  
\=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00\[07\]fa fa fa fa  
0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1492403==ABORTING

**Crashes**

crashes.zip

**Environment**

Ubuntu 20.04.5 LTS  
master

Thanks for your time.

CVE-2022-42227: Heap-buffer-overflow in jsonlint/src/lexer.cpp:18:15 · Issue #2 · p-ranav/jsonlint

Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access sensitive data of any user of the application. This is possible because the application exposes user data to the public.

**Summary**

**Name**

relatedcode/Messenger 7bcd20b - Sensitive Information Disclosure

**Code name**

Coldplay

**Product**

relatedcode/Messenger

**Affected versions**

Version 7bcd20b

**State**

Public

**Release date**

2022-10-14

**Vulnerability**

**Kind**

Business information leak - Personal Information

**Rule**

226\. Business information leak - Personal Information

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVSSv3 Base Score**

6.5

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-41707

**Description**

Relatedcode/Messenger version 7bcd20b allows an authenticated external attacker to access sensitive data of any user of the application. This is possible because the application exposes user data to the public.

**Vulnerability**

The application exposes the session data of the users of the application to the public. Among the exposed data are:

*   ID
*   Email
*   PhoneNumber
*   Etc

The ID exposed in this vulnerability will help us to exploit even a broken access control present in this application.

**Exploitation**

To exploit this vulnerability, simply create an account on the server and then send the following request:

    POST /graphql HTTP/2
    Host: relatedchat.io:4000
    User-Agent: Something
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://relatedchat.io/
    Content-Type: application/json
    Authorization: Bearer [YOUR TOKEN]
    Origin: https://relatedchat.io
    Content-Length: 356
    
    {"operationName":"ListUsers","variables":{},"query":"query ListUsers($updatedAt: Date, $workspaceId: String) {\n  listUsers(updatedAt: $updatedAt, workspaceId: $workspaceId) {\n    objectId\n    displayName\n    email\n  fullName\n    phoneNumber\n    photoURL\n    theme\n    thumbnailURL\n    title\n    workspaces\n    createdAt\n    updatedAt\n  }\n}"}
    

**Impact**

An authenticated remote attacker can access sensitive user data. This allows an attacker to obtain enough information to escalate to more serious attacks. In our case, we managed to exploit a broken access control thanks to the data leaked in this vulnerability. Thanks to this I was able to access all the internal chat logs of all registered users.

**Our security police**

We have reserved the CVE-2022-41707 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: relatedcode/Messenger 7bcd20b
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/relatedcode/Messenger

**Timeline**

2022-09-23

Vulnerability discovered.

2022-09-23

Vendor contacted.

2022-09-23

Vendor replied acknowledging the report.

2022-09-23

Vendor Confirmed the vulnerability.

2022-10-14

Public Disclosure.

CVE-2022-41707: relatedcode/Messenger 7bcd20b - Information Disclosure | Fluid Attacks

Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled.

**  
  
Markdownify  
****A minimal Markdown Editor desktop app built on top of Electron.**

   

Key Features • How To Use • Download • Credits • Related • License

**Key Features**

*   LivePreview - Make changes, See changes
    *   Instantly see what your Markdown documents look like in HTML as you create them.
*   Sync Scrolling
    *   While you type, LivePreview will automatically scroll to the current location you're editing.
*   GitHub Flavored Markdown
*   Syntax highlighting
*   KaTeX Support
*   Dark/Light mode
*   Toolbar for basic Markdown formatting
*   Supports multiple cursors
*   Save the Markdown preview as PDF
*   Emoji support in preview 🎉
*   App will keep alive in tray for quick usage
*   Full screen mode
    *   Write distraction free.
*   Cross platform
    *   Windows, macOS and Linux ready.

**How To Use**

To clone and run this application, you'll need Git and Node.js (which comes with npm) installed on your computer. From your command line:

# Clone this repository
$ git clone https://github.com/amitmerchant1990/electron-markdownify

# Go into the repository
$ cd electron-markdownify

# Install dependencies
$ npm install

# Run the app
$ npm start

> Note If you're using Linux Bash for Windows, see this guide or use node from the command prompt.

**Download**

You can download the latest installable version of Markdownify for Windows, macOS and Linux.

**Emailware**

Markdownify is an emailware. Meaning, if you liked using this app or it has helped you in any way, I'd like you send me an email at bullredeyes@gmail.com about anything you'd want to say about this software. I'd really appreciate it!

**Credits**

This software uses the following open source packages:

*   Electron
*   Node.js
*   Marked - a markdown parser
*   showdown
*   CodeMirror
*   Emojis are taken from here
*   highlight.js

**Related**

markdownify-web - Web version of Markdownify

**Support**

Or

**You may also like...**

*   Pomolectron - A pomodoro app
*   Correo - A menubar/taskbar Gmail App for Windows and macOS

**License**

MIT

> amitmerchant.com  ·  GitHub @amitmerchant1990  ·  Twitter @amit\_merchant

CVE-2022-41709: GitHub - amitmerchant1990/electron-markdownify: A minimal Markdown editor desktop app

Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

CVE-2022-43424: Jenkins Security Advisory 2022-10-19

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

CVE-2022-43434: Jenkins Security Advisory 2022-10-19

Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

CVE-2022-43432: Jenkins Security Advisory 2022-10-19

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVE-2022-43408: Jenkins Security Advisory 2022-10-19

Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

CVE-2022-43433: Jenkins Security Advisory 2022-10-19

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

CVE-2022-43422: Jenkins Security Advisory 2022-10-19

Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Tag

#js