5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
57.3%
What kind of vulnerability is it? Who is impacted?
When an error occurs while reallocating the buffer for string decoding, the buffer gets freed twice.
Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python.
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to UltraJSON 5.4.0.
Is there a way for users to fix or remediate the vulnerability without upgrading?
There is no workaround.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-fm67-cv37-96ff
github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b
github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff
lists.fedoraproject.org/archives/list/[email protected]/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/
lists.fedoraproject.org/archives/list/[email protected]/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/
nvd.nist.gov/vuln/detail/CVE-2022-31117
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
57.3%