gsd-2022-24795
Vulnerability from gsd
Modified
2022-04-05 00:00
Details
The 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl)
contain an integer overflow which leads to subsequent heap memory corruption
when dealing with large (~2GB) inputs.
### Details
The [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64)
may result in the `need` 32bit integer wrapping to 0 when `need` approaches
a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation
of buf->alloc into a small heap chunk.
These integers are declared as `size_t` in the 2.x branch of `yajl`, which
practically prevents the issue from triggering on 64bit platforms, however
this does not preclude this issue triggering on 32bit builds on which
`size_t` is a 32bit integer.
Subsequent population of this under-allocated heap chunk is based on the
original buffer size, leading to heap memory corruption.
### Impact
We rate this as a moderate severity vulnerability which mostly impacts
process availability as we believe exploitation for arbitrary code
execution to be unlikely.
### Patches
Patched in yajl-ruby 1.4.2
### Workarounds
Avoid passing large inputs to YAJL
Aliases
Aliases
{ "GSD": { "alias": "CVE-2022-24795", "description": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.", "id": "GSD-2022-24795", "references": [ "https://www.suse.com/security/cve/CVE-2022-24795.html", "https://access.redhat.com/errata/RHSA-2022:7524", "https://access.redhat.com/errata/RHSA-2022:8252" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "affected": [ { "package": { "ecosystem": "RubyGems", "name": "yajl-ruby", "purl": "pkg:gem/yajl-ruby" } } ], "aliases": [ "CVE-2022-24795", "GHSA-jj47-x69x-mxrm" ], "details": "The 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl)\ncontain an integer overflow which leads to subsequent heap memory corruption\nwhen dealing with large (~2GB) inputs.\n\n### Details\n\nThe [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64)\nmay result in the `need` 32bit integer wrapping to 0 when `need` approaches\na value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation\nof buf-\u003ealloc into a small heap chunk.\n\nThese integers are declared as `size_t` in the 2.x branch of `yajl`, which\npractically prevents the issue from triggering on 64bit platforms, however\nthis does not preclude this issue triggering on 32bit builds on which\n`size_t` is a 32bit integer.\n\nSubsequent population of this under-allocated heap chunk is based on the\noriginal buffer size, leading to heap memory corruption.\n\n### Impact\n\nWe rate this as a moderate severity vulnerability which mostly impacts\nprocess availability as we believe exploitation for arbitrary code\nexecution to be unlikely.\n\n### Patches\n\nPatched in yajl-ruby 1.4.2\n\n### Workarounds\n\nAvoid passing large inputs to YAJL\n", "id": "GSD-2022-24795", "modified": "2022-04-05T00:00:00.000Z", "published": "2022-04-05T00:00:00.000Z", "references": [ { "type": "WEB", "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm" }, { "type": "WEB", "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64" } ], "schema_version": "1.4.0", "severity": [ { "score": 5.9, "type": "CVSS_V3" } ], "summary": "Reallocation bug can trigger heap memory corruption" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24795", "STATE": "PUBLIC", "TITLE": "Buffer Overflow and Integer Overflow in yajl-ruby" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "yajl-ruby", "version": { "version_data": [ { "version_value": "\u003c= 1.4.1" } ] } } ] }, "vendor_name": "brianmario" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-122: Heap-based Buffer Overflow" } ] }, { "description": [ { "lang": "eng", "value": "CWE-190: Integer Overflow or Wraparound" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm", "refsource": "CONFIRM", "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm" }, { "name": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6", "refsource": "MISC", "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6" }, { "name": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64", "refsource": "MISC", "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64" }, { "name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3492-1] yajl security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html" }, { "name": "FEDORA-2023-00572178e1", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/" }, { "name": "FEDORA-2023-852b377773", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/" }, { "name": "[debian-lts-announce] 20230805 [SECURITY] [DLA 3516-1] burp security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html" } ] }, "source": { "advisory": "GHSA-jj47-x69x-mxrm", "discovery": "UNKNOWN" } }, "github.com/rubysec/ruby-advisory-db": { "cve": "2022-24795", "cvss_v3": 5.9, "date": "2022-04-05", "description": "The 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl)\ncontain an integer overflow which leads to subsequent heap memory corruption\nwhen dealing with large (~2GB) inputs.\n\n### Details\n\nThe [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64)\nmay result in the `need` 32bit integer wrapping to 0 when `need` approaches\na value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation\nof buf-\u003ealloc into a small heap chunk.\n\nThese integers are declared as `size_t` in the 2.x branch of `yajl`, which\npractically prevents the issue from triggering on 64bit platforms, however\nthis does not preclude this issue triggering on 32bit builds on which\n`size_t` is a 32bit integer.\n\nSubsequent population of this under-allocated heap chunk is based on the\noriginal buffer size, leading to heap memory corruption.\n\n### Impact\n\nWe rate this as a moderate severity vulnerability which mostly impacts\nprocess availability as we believe exploitation for arbitrary code\nexecution to be unlikely.\n\n### Patches\n\nPatched in yajl-ruby 1.4.2\n\n### Workarounds\n\nAvoid passing large inputs to YAJL\n", "gem": "yajl-ruby", "ghsa": "jj47-x69x-mxrm", "patched_versions": [ "\u003e= 1.4.2" ], "related": { "url": [ "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64" ] }, "title": "Reallocation bug can trigger heap memory corruption", "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm" }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c1.4.2", "affected_versions": "All versions before 1.4.2", "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cwe_ids": [ "CWE-1035", "CWE-190", "CWE-937" ], "date": "2023-08-05", "description": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.", "fixed_versions": [ "1.4.2" ], "identifier": "CVE-2022-24795", "identifiers": [ "CVE-2022-24795", "GHSA-jj47-x69x-mxrm" ], "not_impacted": "All versions starting from 1.4.2", "package_slug": "gem/yajl-ruby", "pubdate": "2022-04-05", "solution": "Upgrade to version 1.4.2 or above.", "title": "Heap-based Buffer Overflow", "urls": [ "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm", "https://github.com/advisories/GHSA-jj47-x69x-mxrm" ], "uuid": "25255b57-91c4-41b0-980c-36a210e90a52" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:yajl-ruby_project:yajl-ruby:*:*:*:*:*:ruby:*:*", "cpe_name": [], "versionEndExcluding": "1.4.2", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24795" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-190" }, { "lang": "en", "value": "CWE-122" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm", "refsource": "CONFIRM", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm" }, { "name": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64" }, { "name": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6" }, { "name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3492-1] yajl security update", "refsource": "MLIST", "tags": [], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html" }, { "name": "FEDORA-2023-00572178e1", "refsource": "FEDORA", "tags": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/" }, { "name": "FEDORA-2023-852b377773", "refsource": "FEDORA", "tags": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/" }, { "name": "[debian-lts-announce] 20230805 [SECURITY] [DLA 3516-1] burp security update", "refsource": "MLIST", "tags": [], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6 } }, "lastModifiedDate": "2023-08-05T19:15Z", "publishedDate": "2022-04-05T16:15Z" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.