Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maDU2LTg1Y3ctNXBxNs0gMg
UltraJSON vulnerable to Out-of-bounds Write
UltraJSON (aka ujson) 1.34 through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).
Permalink: https://github.com/advisories/GHSA-fh56-85cw-5pq6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maDU2LTg1Y3ctNXBxNs0gMg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-fh56-85cw-5pq6, CVE-2021-45958
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45958
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
- https://github.com/ultrajson/ultrajson/issues/501
- https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284
- https://github.com/ultrajson/ultrajson/pull/504
- https://lists.debian.org/debian-lts-announce/2022/02/msg00023.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/CN7W3GOXALINKFUUE7ICQIC2EF5HNKUQ/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/O6JUWQTJLA2CMG4CJN7DCUVSOXLZIIXL/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ULX35TSWLBBIMEH44MUORPXYYRZKEDC6/
- https://github.com/ultrajson/ultrajson/pull/519
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/
- https://github.com/advisories/GHSA-fh56-85cw-5pq6
Affected Packages
pypi:ujson
Versions: >= 1.34, < 5.2.0Fixed in: 5.2.0