Zurück zur Übersicht

Phoenix Contact: Two vulnerabilities in the jq JSON processor utilized by FL MGUARD 110x devices

VDE-2025-077
Last update
09.09.2025 12:00
Published at
09.09.2025 12:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2025-077
CSAF Document
Download

Summary

The jq JSON processor, which is used to migrate firmware configurations in the product, contains 2 vulnerabilities that can be exploited by an authenticated attacker.

Impact

An authenticated attacker can cause a denial of service.

Affected Product(s)

Model no. Product name Affected versions
1153079 FL MGUARD 1102 Firmware <1.8.1
1153078 FL MGUARD 1105 Firmware <1.8.1

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function jv_string_vfmt in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 void* p = malloc(sz);. As of time of publication, no patched versions are available.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.

References
cve.org | nvd.nist.gov

Remediation

Phoenix Contact strongly recommends upgrading affected mGuard devices to firmware version 1.8.1 or higher which fixes this vulnerability.

Revision History

Version Date Summary
1 04.08.2025 12:00 Initial revision.