5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
57.3%
UltraJSON is a fast JSON encoder and decoder written in pure C with
bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring
while reallocating a buffer for string decoding can cause the buffer to get
freed twice. Due to how UltraJSON uses the internal decoder, this double
free is impossible to trigger from Python. This issue has been resolved in
version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no
known workarounds for this issue.
Author | Note |
---|---|
ccdm94 | the embedded ujson code in pandas, eventhough containing similar content as the upstream ujson code, seems to have diverged from the ujson upstream project (they have fully forked ujson), since pandas upstream is maintaining their own ujson bug fixes and changes without re-syncing with the ujson upstream project. There is no indication the ujson fork, as used in pandas, is vulnerable to the same issues as the upstream ujson code. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | collada2gltf | < any | UNKNOWN |
ubuntu | 22.04 | noarch | collada2gltf | < any | UNKNOWN |
ubuntu | 16.04 | noarch | collada2gltf | < any | UNKNOWN |
ubuntu | 18.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 20.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 22.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 23.10 | noarch | pandas | < any | UNKNOWN |
ubuntu | 14.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 16.04 | noarch | pandas | < any | UNKNOWN |
ubuntu | 18.04 | noarch | ujson | < 1.35-2ubuntu0.1~esm1 | UNKNOWN |
github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b
github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b (5.4.0)
github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff
launchpad.net/bugs/cve/CVE-2022-31117
nvd.nist.gov/vuln/detail/CVE-2022-31117
security-tracker.debian.org/tracker/CVE-2022-31117
ubuntu.com/security/notices/USN-6629-1
ubuntu.com/security/notices/USN-6629-3
www.cve.org/CVERecord?id=CVE-2022-31117
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
57.3%