CVE-2021-45958

Note

the embedded ujson code in pandas, eventhough containing similar
content as the upstream ujson code, seems to have diverged from the
ujson upstream project (they have fully forked ujson), since pandas
upstream is maintaining their own ujson bug fixes and changes without
re-syncing with the ujson upstream project. There is no indication
the ujson fork, as used in pandas, is vulnerable to the same issues
as the upstream ujson code.

Package	Release	Status
pandas Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Needs triage
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Ignored (end of life, was needs-triage)
	noble	Needs triage
	trusty	Needs triage
	upstream	Needed
	xenial	Needs triage
ujson Launchpad, Ubuntu, Debian	bionic	Released (1.35-2ubuntu0.1~esm1) Available with Ubuntu Pro
	focal	Released (1.35-4ubuntu0.1)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Released (5.1.0-1ubuntu0.1~esm1) Available with Ubuntu Pro
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Not vulnerable (5.4.0-1)
	mantic	Not vulnerable (5.4.0-1)
	noble	Not vulnerable (5.4.0-1)
	trusty	Ignored (end of standard support)
	upstream	Released (5.2.0)
	xenial	Released (1.33-1ubuntu0.1~esm2) Available with Ubuntu Pro
	Patches: upstream: https://github.com/ultrajson/ultrajson/pull/519

Parameter	Value
Base score	5.5
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-45958

Notes

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading