Vulnerability Name: | CVE-2022-31116 (CCN-230458) | ||||||||||||||||||||||||||||
Assigned: | 2022-07-02 | ||||||||||||||||||||||||||||
Published: | 2022-07-02 | ||||||||||||||||||||||||||||
Updated: | 2022-11-05 | ||||||||||||||||||||||||||||
Summary: | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue. | ||||||||||||||||||||||||||||
CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||
CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||||||||||||
Vulnerability Type: | CWE-670 | ||||||||||||||||||||||||||||
Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2022-31116 Source: XF Type: UNKNOWN ultrajson-cve202231116-dos(230458) Source: MISC Type: Patch, Third Party Advisory https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687 Source: CCN Type: UltraJSON GIT Repository Incorrect handling of invalid surrogate pair characters Source: CONFIRM Type: Exploit, Third Party Advisory https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-33e816bc37 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-1b2b8d5177 Source: CCN Type: IBM Security Bulletin 6854981 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities Source: CCN Type: Mend Vulnerability Database CVE-2022-31116 | ||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1: ![]() | ||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
BACK |