ghsa-fm67-cv37-96ff
Vulnerability from github
Published
2022-07-05 21:05
Modified
2022-07-15 20:48
Summary
Potential double free of buffer during string decoding
Details

Impact

What kind of vulnerability is it? Who is impacted?

When an error occurs while reallocating the buffer for string decoding, the buffer gets freed twice.

Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python.

Patches

Has the problem been patched? What versions should users upgrade to?

Users should upgrade to UltraJSON 5.4.0.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround.

For more information

If you have any questions or comments about this advisory: * Open an issue in UltraJSON

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ujson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T21:05:59Z",
    "nvd_published_at": "2022-07-05T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nWhen an error occurs while reallocating the buffer for string decoding, the buffer gets freed twice.\n\nDue to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nUsers should upgrade to UltraJSON 5.4.0.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere is no workaround.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [UltraJSON](http://github.com/ultrajson/ultrajson/issues)\n",
  "id": "GHSA-fm67-cv37-96ff",
  "modified": "2022-07-15T20:48:04Z",
  "published": "2022-07-05T21:05:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ultrajson/ultrajson"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Potential double free of buffer during string decoding"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.