{
  "threat_severity" : "Low",
  "public_date" : "2016-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "jq: stack exhaustion via jv_dump_term() function",
    "id" : "1329982",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1329982"
  },
  "cvss" : {
    "cvss_base_score" : "2.6",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:N/I:N/A:P",
    "status" : "draft"
  },
  "cwe" : "CWE-400",
  "details" : [ "The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0." ],
  "statement" : "Because this vulnerability requires that an unsuspecting user parses a specially crafted malicious JSON file, or that a service that does so accepts untrusted input, and because the consequences of this flaw are limited to exhaustion of the resources available to the user with whose privileges jq parses the malicious file, Red Hat assesses this vulnerability's impact as Low.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "jq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "jq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)",
    "fix_state" : "Will not fix",
    "package_name" : "jq",
    "cpe" : "cpe:/a:redhat:openstack:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)",
    "fix_state" : "Will not fix",
    "package_name" : "jq",
    "cpe" : "cpe:/a:redhat:openstack:7"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Will not fix",
    "package_name" : "jq",
    "cpe" : "cpe:/a:redhat:openstack:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "jq",
    "cpe" : "cpe:/a:redhat:openstack:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4074\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4074" ],
  "name" : "CVE-2016-4074",
  "csaw" : false
}