github - GHSA-jj47-x69x-mxrm

GHSA-JJ47-X69X-MXRM

Vulnerability from github – Published: 2022-04-05 15:55 – Updated: 2022-05-26 18:54

Summary

Buffer Overflow in yajl-ruby

Details

NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3

The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs.

Details

The reallocation logic at yajl_buf.c#L64 may result in the need 32bit integer wrapping to 0 when need approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk.

These integers are declared as size_t in the 2.x branch of yajl, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which size_t is a 32bit integer.

Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.

Impact

We rate this as a moderate severity vulnerability which mostly impacts process availability as we believe exploitation for arbitrary code execution to be unlikely.

Patches

Patched in yajl-ruby 1.4.3

Workarounds

Avoid passing large inputs to YAJL

References

https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64

For more information

If you have any questions or comments about this advisory: * Open an issue in yajl-ruby

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.2"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "yajl-ruby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-05T15:55:51Z",
    "nvd_published_at": "2022-04-05T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "_NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3_\n\nThe 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl) contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs.\n\n### Details\n\nThe [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64) may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk.\n\nThese integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer.\n\nSubsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.\n\n### Impact\n\nWe rate this as a moderate severity vulnerability which mostly impacts process availability as we believe exploitation for arbitrary code execution to be unlikely.\n\n### Patches\n\nPatched in yajl-ruby 1.4.3\n\n### Workarounds\n\nAvoid passing large inputs to YAJL\n\n### References\nhttps://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [yajl-ruby](https://github.com/brianmario/yajl-ruby/issues)\n",
  "id": "GHSA-jj47-x69x-mxrm",
  "modified": "2022-05-26T18:54:24Z",
  "published": "2022-04-05T15:55:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24795"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/brianmario/yajl-ruby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yajl-ruby/CVE-2022-24795.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Buffer Overflow in yajl-ruby"
}

CVE-2022-24795 (GCVE-0-2022-24795)

Vulnerability from cvelistv5 – Published: 2022-04-05 00:00 – Updated: 2025-04-22 18:17

Summary

yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-122 - Heap-based Buffer Overflow
CWE-190 - Integer Overflow or Wraparound

Assigner

GitHub_M

References

URL

Tags

	https://github.com/brianmario/yajl-ruby/security/…
	https://github.com/brianmario/yajl-ruby/commit/71…
	https://github.com/brianmario/yajl-ruby/blob/7168…
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Impacted products

	Vendor	Product	Version
	brianmario	yajl-ruby	Affected: <= 1.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.514Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
          },
          {
            "name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3492-1] yajl security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html"
          },
          {
            "name": "FEDORA-2023-00572178e1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/"
          },
          {
            "name": "FEDORA-2023-852b377773",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/"
          },
          {
            "name": "[debian-lts-announce] 20230805 [SECURITY] [DLA 3516-1] burp security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24795",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:49:09.360664Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T18:17:37.564Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "yajl-ruby",
          "vendor": "brianmario",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-05T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
        },
        {
          "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6"
        },
        {
          "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
        },
        {
          "name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3492-1] yajl security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html"
        },
        {
          "name": "FEDORA-2023-00572178e1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/"
        },
        {
          "name": "FEDORA-2023-852b377773",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/"
        },
        {
          "name": "[debian-lts-announce] 20230805 [SECURITY] [DLA 3516-1] burp security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jj47-x69x-mxrm",
        "discovery": "UNKNOWN"
      },
      "title": "Buffer Overflow and Integer Overflow in yajl-ruby"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24795",
    "datePublished": "2022-04-05T00:00:00.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-22T18:17:37.564Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GSD-2022-24795

Vulnerability from gsd - Updated: 2022-04-05 00:00

Details

The 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl) contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. ### Details The [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64) may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. ### Impact We rate this as a moderate severity vulnerability which mostly impacts process availability as we believe exploitation for arbitrary code execution to be unlikely. ### Patches Patched in yajl-ruby 1.4.2 ### Workarounds Avoid passing large inputs to YAJL

Aliases

CVE-2022-24795

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24795",
    "description": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.",
    "id": "GSD-2022-24795",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-24795.html",
      "https://access.redhat.com/errata/RHSA-2022:7524",
      "https://access.redhat.com/errata/RHSA-2022:8252"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "yajl-ruby",
            "purl": "pkg:gem/yajl-ruby"
          }
        }
      ],
      "aliases": [
        "CVE-2022-24795",
        "GHSA-jj47-x69x-mxrm"
      ],
      "details": "The 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl)\ncontain an integer overflow which leads to subsequent heap memory corruption\nwhen dealing with large (~2GB) inputs.\n\n### Details\n\nThe [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64)\nmay result in the `need` 32bit integer wrapping to 0 when `need` approaches\na value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation\nof buf-\u003ealloc into a small heap chunk.\n\nThese integers are declared as `size_t` in the 2.x branch of `yajl`, which\npractically prevents the issue from triggering on 64bit platforms, however\nthis does not preclude this issue triggering on 32bit builds on which\n`size_t` is a 32bit integer.\n\nSubsequent population of this under-allocated heap chunk is based on the\noriginal buffer size, leading to heap memory corruption.\n\n### Impact\n\nWe rate this as a moderate severity vulnerability which mostly impacts\nprocess availability as we believe exploitation for arbitrary code\nexecution to be unlikely.\n\n### Patches\n\nPatched in yajl-ruby 1.4.2\n\n### Workarounds\n\nAvoid passing large inputs to YAJL\n",
      "id": "GSD-2022-24795",
      "modified": "2022-04-05T00:00:00.000Z",
      "published": "2022-04-05T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
        },
        {
          "type": "WEB",
          "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.9,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Reallocation bug can trigger heap memory corruption"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24795",
        "STATE": "PUBLIC",
        "TITLE": "Buffer Overflow and Integer Overflow in yajl-ruby"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "yajl-ruby",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 1.4.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "brianmario"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-122: Heap-based Buffer Overflow"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-190: Integer Overflow or Wraparound"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm",
            "refsource": "CONFIRM",
            "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
          },
          {
            "name": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6",
            "refsource": "MISC",
            "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6"
          },
          {
            "name": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64",
            "refsource": "MISC",
            "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
          },
          {
            "name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3492-1] yajl security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html"
          },
          {
            "name": "FEDORA-2023-00572178e1",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/"
          },
          {
            "name": "FEDORA-2023-852b377773",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/"
          },
          {
            "name": "[debian-lts-announce] 20230805 [SECURITY] [DLA 3516-1] burp security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-jj47-x69x-mxrm",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-24795",
      "cvss_v3": 5.9,
      "date": "2022-04-05",
      "description": "The 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl)\ncontain an integer overflow which leads to subsequent heap memory corruption\nwhen dealing with large (~2GB) inputs.\n\n### Details\n\nThe [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64)\nmay result in the `need` 32bit integer wrapping to 0 when `need` approaches\na value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation\nof buf-\u003ealloc into a small heap chunk.\n\nThese integers are declared as `size_t` in the 2.x branch of `yajl`, which\npractically prevents the issue from triggering on 64bit platforms, however\nthis does not preclude this issue triggering on 32bit builds on which\n`size_t` is a 32bit integer.\n\nSubsequent population of this under-allocated heap chunk is based on the\noriginal buffer size, leading to heap memory corruption.\n\n### Impact\n\nWe rate this as a moderate severity vulnerability which mostly impacts\nprocess availability as we believe exploitation for arbitrary code\nexecution to be unlikely.\n\n### Patches\n\nPatched in yajl-ruby 1.4.2\n\n### Workarounds\n\nAvoid passing large inputs to YAJL\n",
      "gem": "yajl-ruby",
      "ghsa": "jj47-x69x-mxrm",
      "patched_versions": [
        "\u003e= 1.4.2"
      ],
      "related": {
        "url": [
          "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
        ]
      },
      "title": "Reallocation bug can trigger heap memory corruption",
      "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.4.2",
          "affected_versions": "All versions before 1.4.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-190",
            "CWE-937"
          ],
          "date": "2023-08-05",
          "description": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.",
          "fixed_versions": [
            "1.4.2"
          ],
          "identifier": "CVE-2022-24795",
          "identifiers": [
            "CVE-2022-24795",
            "GHSA-jj47-x69x-mxrm"
          ],
          "not_impacted": "All versions starting from 1.4.2",
          "package_slug": "gem/yajl-ruby",
          "pubdate": "2022-04-05",
          "solution": "Upgrade to version 1.4.2 or above.",
          "title": "Heap-based Buffer Overflow",
          "urls": [
            "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm",
            "https://github.com/advisories/GHSA-jj47-x69x-mxrm"
          ],
          "uuid": "25255b57-91c4-41b0-980c-36a210e90a52"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:yajl-ruby_project:yajl-ruby:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24795"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-190"
                },
                {
                  "lang": "en",
                  "value": "CWE-122"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
            },
            {
              "name": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
            },
            {
              "name": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6"
            },
            {
              "name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3492-1] yajl security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html"
            },
            {
              "name": "FEDORA-2023-00572178e1",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/"
            },
            {
              "name": "FEDORA-2023-852b377773",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/"
            },
            {
              "name": "[debian-lts-announce] 20230805 [SECURITY] [DLA 3516-1] burp security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-05T19:15Z",
      "publishedDate": "2022-04-05T16:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-JJ47-X69X-MXRM

Details

Impact

Patches

Workarounds

References

For more information

CVE-2022-24795 (GCVE-0-2022-24795)

GSD-2022-24795

Tags

Sightings

Nomenclature