Login Sign Up

CVE-2020-17479

9.8 CRITICAL

📋 TL;DR

CVE-2020-17479 is an input validation vulnerability in jpv (Json Pattern Validator) that allows attackers to bypass validation logic through specially crafted corrupted arrays. This affects any application using vulnerable versions of jpv for JSON validation, potentially leading to data corruption or injection attacks. The vulnerability is particularly dangerous in applications that rely on jpv for security-critical input validation.

💻 Affected Systems

Products:
  • jpv (Json Pattern Validator)
Versions: All versions before 2.2.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using jpv for JSON validation is vulnerable regardless of configuration.

📦 What is this software?

Json Pattern Validator by Json Pattern Validator Project

View all CVEs affecting Json Pattern Validator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of JSON validation leading to injection attacks, data corruption, or remote code execution depending on how the application processes the malformed input.

🟠

Likely Case

Data integrity issues, unexpected application behavior, or partial validation bypass allowing some malicious input through.

🟢

If Mitigated

Limited impact with proper input sanitization at multiple layers and defense-in-depth controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is simple to exploit by sending specially crafted corrupted arrays. Public proof-of-concept exists in the GitHub issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.2

Vendor Advisory: https://github.com/manvel-khnkoyan/jpv/commit/e3eec1215caa8d5c560f5e88d0943422831927d6

Restart Required: No

Instructions:

1. Update jpv package to version 2.2.2 or later using npm update jpv. 2. Test that JSON validation works correctly with edge cases. 3. Deploy updated application.

🔧 Temporary Workarounds

Input sanitization wrapper

all

Implement additional input validation before passing data to jpv

🧯 If You Can't Patch

  • Implement strict input validation at the application layer before using jpv
  • Use alternative JSON validation libraries temporarily

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list jpv to see if version is below 2.2.2

Check Version:

npm list jpv

Verify Fix Applied:

Verify jpv version is 2.2.2 or higher and test with known malicious arrays

📡 Detection & Monitoring

Log Indicators:

  • Unexpected validation failures
  • Application errors when processing JSON arrays
  • Unusual input patterns in JSON payloads

Network Indicators:

  • HTTP requests with malformed JSON arrays to endpoints using jpv

SIEM Query:

source="application_logs" AND ("validation error" OR "jpv" OR "JSON parse error")

📊 Metadata

CVE ID: CVE-2020-17479
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: August 10, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17479, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)