Buffer overflow in Freeswitch

CVE-2015-7392

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse.

Vulnerability class: Buffer Overflow

EPSS: 0.041 (88.8th percentile) — read the EPSS interpretation.

Affected products

Freeswitch — versions 1.6.0
N/a — versions n/a

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

References

cve@mitre.org (x_refsource_CONFIRM)
cve@mitre.org (Exploit, x_refsource_MISC)
20150929 CVE-2015-7392 Heap overflow in Freeswitch json parser < 1.6.2 & < 1.4.23 (mailing-list, x_refsource_BUGTRAQ)