Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maDU2LTg1Y3ctNXBxNs0gMg
UltraJSON vulnerable to Out-of-bounds Write
UltraJSON (aka ujson) 1.34 through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).
Permalink: https://github.com/advisories/GHSA-fh56-85cw-5pq6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maDU2LTg1Y3ctNXBxNs0gMg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-fh56-85cw-5pq6, CVE-2021-45958
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45958
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
- https://github.com/ultrajson/ultrajson/issues/501
- https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284
- https://github.com/ultrajson/ultrajson/pull/504
- https://lists.debian.org/debian-lts-announce/2022/02/msg00023.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/CN7W3GOXALINKFUUE7ICQIC2EF5HNKUQ/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/O6JUWQTJLA2CMG4CJN7DCUVSOXLZIIXL/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ULX35TSWLBBIMEH44MUORPXYYRZKEDC6/
- https://github.com/ultrajson/ultrajson/pull/519
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/
- https://github.com/advisories/GHSA-fh56-85cw-5pq6
Blast Radius: 23.4
Affected Packages
pypi:ujson
Dependent packages: 520Dependent repositories: 18,137
Downloads: 11,230,061 last month
Affected Version Ranges: >= 1.34, < 5.2.0
Fixed in: 5.2.0
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.0.0, 3.1.0, 3.2.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 5.0.0, 5.1.0
All unaffected versions: 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0