Fluid Attacks Database

Description

Improper Validation of Array Index in GJSON GJSON < 1.6.6 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/tidwall/gjson	>=0 <1.6.6	1.6.6
debian 14	golang-github-tidwall-gjson	>=0 <1.6.7-1	1.6.7-1
debian 12	golang-github-tidwall-gjson	>=0 <1.6.7-1	1.6.7-1
debian 13	golang-github-tidwall-gjson	>=0 <1.6.7-1	1.6.7-1
debian 11	golang-github-tidwall-gjson	>=0 <1.6.7-1	1.6.7-1

Aliases

1. CVE-2020-360672. NVD-2020-360673. OSV-2020-360674. OSV-DEBIAN-2020-360675. GCVE-2020-360676. SECURITY-TRACKER-CVE-2020-36067

References

1. https://github.com/tidwall/gjson/issues/1962. https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b3. https://pkg.go.dev/vuln/GO-2021-0054