CVE-2021-45958
Published: 1 January 2022
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
Notes
Author | Note |
---|---|
ccdm94 | the embedded ujson code in pandas, eventhough containing similar content as the upstream ujson code, seems to have diverged from the ujson upstream project (they have fully forked ujson), since pandas upstream is maintaining their own ujson bug fixes and changes without re-syncing with the ujson upstream project. There is no indication the ujson fork, as used in pandas, is vulnerable to the same issues as the upstream ujson code. |
Priority
Status
Package | Release | Status |
---|---|---|
pandas Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Ignored
(end of life, was needs-triage)
|
|
noble |
Needs triage
|
|
trusty |
Needs triage
|
|
upstream |
Needed
|
|
xenial |
Needs triage
|
|
ujson Launchpad, Ubuntu, Debian |
bionic |
Released
(1.35-2ubuntu0.1~esm1)
Available with Ubuntu Pro |
focal |
Released
(1.35-4ubuntu0.1)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Released
(5.1.0-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Not vulnerable
(5.4.0-1)
|
|
mantic |
Not vulnerable
(5.4.0-1)
|
|
noble |
Not vulnerable
(5.4.0-1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(5.2.0)
|
|
xenial |
Released
(1.33-1ubuntu0.1~esm2)
Available with Ubuntu Pro |
|
Patches: upstream: https://github.com/ultrajson/ultrajson/pull/519 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
- https://ubuntu.com/security/notices/USN-6629-1
- https://ubuntu.com/security/notices/USN-6629-2
- https://www.cve.org/CVERecord?id=CVE-2021-45958
- NVD
- Launchpad
- Debian