#VU64001 Heap-based buffer overflow in yajl-ruby and yajl - CVE-2022-24795


Vulnerability identifier: #VU64001

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24795

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
yajl-ruby
Universal components / Libraries / Libraries used by multiple products
yajl
Universal components / Libraries / Libraries used by multiple products

Vendor: brianmario (Brian Lopez)
Lloyd Hilaiel

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error when handling large inputs. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

yajl-ruby: 0.1.0 - 1.4.1

yajl: 2.0.0 - 2.1.0

External links
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for yajl
Amazon Linux AMI update for yajl
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.15
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.15
Red Hat Enterprise Linux 8.6 Extended Update Support update for yajl
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Fedora 37 update for yajl
Fedora 38 update for yajl
Anolis OS update for yajl
Multiple vulnerabilities in OpenShift Virtualization 4.12