Vulnerability Details CVE-2022-24795
yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 78.8%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 5.0
References
- https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
- https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
- https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
- https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/
- https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
- https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
- https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
- https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/
Products affected by CVE-2022-24795
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.1.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.2.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.2.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.3.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.3.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.3.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.3.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.3.4
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.4
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.5
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.6
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.7
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.8
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.4.9
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.10
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.11
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.12
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.4
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.5
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.6
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.7
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.8
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.5.9
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.4
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.5
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.6
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.7
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.8
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.6.9
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.4
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.5
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.6
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.7
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.8
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.7.9
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.8.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.8.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.8.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:0.8.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.0.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.1.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.2.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.2.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.2.2
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.2.3
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.3.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.3.1
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.4.0
-
cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.4.1