Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zeGc4LWNjOGYtOXd2Ms4AAv9V

Unsanitized input leading to code injection in Dalli

A vulnerability was found in Dalli. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue.

Permalink: https://github.com/advisories/GHSA-3xg8-cc8f-9wv2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zeGc4LWNjOGYtOXd2Ms4AAv9V
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Percentage: 0.0009
EPSS Percentile: 0.39525

Identifiers: GHSA-3xg8-cc8f-9wv2, CVE-2022-4064
References:

Repository: https://github.com/petergoldstein/dalli
Blast Radius: 15.0

Affected Packages

rubygems:dalli

Dependent packages: 213
Dependent repositories: 11,488
Downloads: 102,944,892 total
Affected Version Ranges: < 3.2.3
Fixed in: 3.2.3
All affected versions: 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0, 3.2.1, 3.2.2
All unaffected versions: 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8