CVE-2022-24795

yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
yajl-ruby_projectyajl-ruby
𝑥
< 1.4.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
burp
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
bookworm
no-dsa
sid
3.1.4-3.1
fixed
trixie
3.1.4-3.1
fixed
epics-base
bookworm
7.0.3.1-4
no-dsa
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
sid
7.0.8.1+dfsg1-2
fixed
trixie
7.0.8.1+dfsg1-2
fixed
r-cran-jsonlite
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
bookworm
no-dsa
sid
1.8.9+dfsg-1
fixed
trixie
1.8.9+dfsg-1
fixed
ruby-yajl
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
bookworm
1.4.3-1
no-dsa
sid
1.4.3-1
fixed
trixie
1.4.3-1
fixed
xqilla
bullseye
2.3.4-1
fixed
buster
no-dsa
stretch
no-dsa
bookworm
no-dsa
yajl
bullseye
2.1.0-3+deb11u2
no-dsa
buster
no-dsa
stretch
no-dsa
bookworm
2.1.0-3+deb12u2
no-dsa
sid
2.1.0-5
fixed
trixie
2.1.0-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
argyll
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
burp
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
centreon-broker
xenial
ignored
trusty
ignored
collada2gltf
noble
dne
mantic
dne
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
bionic
needs-triage
xenial
needs-triage
trusty
ignored
icinga2
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
libbson
bionic
needs-triage
xenial
needs-triage
trusty
ignored
lnav
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
php-mongodb
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
r-cran-jsonlite
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
ruby-yajl
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
tulip
noble
dne
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
xenial
needs-triage
trusty
ignored
yajl
noble
not-affected
mantic
not-affected
lunar
Fixed 2.1.0-3ubuntu0.23.04.1
released
kinetic
ignored
jammy
Fixed 2.1.0-3ubuntu0.22.04.1
released
impish
ignored
focal
Fixed 2.1.0-3ubuntu0.20.04.1
released
bionic
Fixed 2.1.0-2ubuntu0.18.04.1~esm1
released
xenial
Fixed 2.1.0-2ubuntu0.16.04.1~esm1
released
trusty
Fixed 2.0.4-4ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/