Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1maDU2LTg1Y3ctNXBxNs0gMg

UltraJSON vulnerable to Out-of-bounds Write

UltraJSON (aka ujson) 1.34 through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).

Permalink: https://github.com/advisories/GHSA-fh56-85cw-5pq6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maDU2LTg1Y3ctNXBxNs0gMg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-fh56-85cw-5pq6, CVE-2021-45958
References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-45958
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
• https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
• https://github.com/ultrajson/ultrajson/issues/501
• https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284
• https://github.com/ultrajson/ultrajson/pull/504
• https://lists.debian.org/debian-lts-announce/2022/02/msg00023.html
• https://lists.fedoraproject.org/archives/list/[email protected]/message/CN7W3GOXALINKFUUE7ICQIC2EF5HNKUQ/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/O6JUWQTJLA2CMG4CJN7DCUVSOXLZIIXL/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ULX35TSWLBBIMEH44MUORPXYYRZKEDC6/
• https://github.com/ultrajson/ultrajson/pull/519
• https://lists.fedoraproject.org/archives/list/[email protected]/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/
• https://github.com/advisories/GHSA-fh56-85cw-5pq6

Repository: https://github.com/google/oss-fuzz-vulns
Blast Radius: 23.4

Affected Packages