CVE-2022-23462 IOWOW is a C library for key/value storage with a stack buffer overflow vulnerability that allows for Denial of Service when parsing scientific notation numbers in JSON.

This vulnerability is only exploitable when there are numbers with a leading `.` (e.g. `3.14`) or `e` (e.g. `3.14e+1`) in an input not validated by the library. When a user requests a key with a large number, the application will fail to parse the number correctly, causing the server to crash. This is revealed by the following error message in the API console: ``` { "kv": "3.14e+1", "message": "Invalid number: 3.14e+1" } ``` We are not aware of any published exploits for this vulnerability at this time. However, it is recommended to upgrade to a version of the library with a patch for this issue.

What to do if you are currently using a version of the library that is affected by this vulnerabilit

References

Timeline

Published on: 10/21/2022 22:15:00 UTC
Last modified on: 10/24/2022 16:08:00 UTC

References

• https://securitylab.github.com/advisories/GHSL-2022-066_iowow/
• https://github.com/Softmotions/iowow/commit/a79d31e4cff1d5a08f665574b29fd885897a28fd
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23462