WebKit JavaScriptCore runtime/JSONObject.cpp JSONstringify input validation

A vulnerability, which was classified as problematic, has been found in WebKit. Affected by this issue is the function JSONstringify of the file runtime/JSONObject.cpp of the component JavaScriptCore. The manipulation leads to improper input validation. Using CWE to declare the problem leads to CWE-20. The bug was discovered 10/28/2016. The weakness was released 04/03/2017 as 208123 (Website). The advisory is shared for download at trac.webkit.org. This vulnerability is handled as CVE-2016-10222. The attack may be launched remotely. Technical details are available. There is no exploit available. The current price for an exploit might be approx. USD $0-$5k at the moment. It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 157 days. As 0-day the estimated underground price was around $0-$5k. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

Field04/03/2017 04:55 PM08/25/2020 11:20 AM11/24/2022 05:26 PM
typeWeb BrowserWeb BrowserWeb Browser
nameWebKitWebKitWebKit
componentJavaScriptCoreJavaScriptCoreJavaScriptCore
fileruntime/JSONObject.cppruntime/JSONObject.cppruntime/JSONObject.cpp
functionJSONstringifyJSONstringifyJSONstringify
cwe20 (input validation)20 (input validation)20 (input validation)
risk111
cvss2_vuldb_basescore4.34.34.3
cvss2_vuldb_tempscore4.34.34.3
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciNNN
cvss2_vuldb_iiNNN
cvss2_vuldb_aiPPP
cvss2_nvd_avNNN
cvss2_nvd_acLLL
cvss2_nvd_auNNN
cvss2_nvd_ciNNN
cvss2_nvd_iiNNN
cvss2_nvd_aiPPP
cvss3_meta_basescore5.95.95.9
cvss3_meta_tempscore5.95.95.9
cvss3_vuldb_basescore4.34.34.3
cvss3_vuldb_tempscore4.34.34.3
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiRRR
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iNNN
cvss3_vuldb_aLLL
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cNNN
cvss3_nvd_iNNN
cvss3_nvd_aHHH
date1491177600 (04/03/2017)1491177600 (04/03/2017)1491177600 (04/03/2017)
urlhttp://trac.webkit.org/changeset/208123http://trac.webkit.org/changeset/208123http://trac.webkit.org/changeset/208123
price_0day$0-$5k$0-$5k$0-$5k
cveCVE-2016-10222CVE-2016-10222CVE-2016-10222
cve_assigned1486598400 (02/09/2017)1486598400 (02/09/2017)1486598400 (02/09/2017)
cve_nvd_published149117760014911776001491177600
cve_nvd_summaryruntime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (segmentation violation and application crash) via crafted JavaScript code that triggers a "type confusion" in the JSON.stringify function.runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (segmentation violation and application crash) via crafted JavaScript code that triggers a "type confusion" in the JSON.stringify function.runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (segmentation violation and application crash) via crafted JavaScript code that triggers a "type confusion" in the JSON.stringify function.
seealso992379923799237
locationWebsiteWebsiteWebsite
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlXXX
cvss3_vuldb_rcXXX
0day_days157157157
cvss3_nvd_basescore7.57.57.5
discoverydate14776128001477612800
confirm_urlhttp://trac.webkit.org/changeset/208123http://trac.webkit.org/changeset/208123
osvdb_titleCVE-2016-10222 - WebKit - Denial of Service IssueCVE-2016-10222 - WebKit - Denial of Service Issue
identifier208123
cvss2_nvd_basescore5.0

Interested in the pricing of exploits?

See the underground prices here!