Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-31116 (High) detected in ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl #625

Open
mend-for-github-com bot opened this issue Jul 6, 2022 · 0 comments
Open

CVE-2022-31116 (High) detected in ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl #625

mend-for-github-com bot opened this issue Jul 6, 2022 · 0 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link
Contributor

CVE-2022-31116 - High Severity Vulnerability

Vulnerable Library - ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl

Ultra fast JSON encoder and decoder for Python

Library home page: https://files.pythonhosted.org/packages/0d/ca/404a902e7fc2d39796b01f72e90a2b32e7ca25a3708bcf1d602ccf9e3658/ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /src

Path to vulnerable library: /src,/src/webui/backend

Dependency Hierarchy:

  • ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 8df0c9edde054463776fa58e88036ee2a783a41f

Found in base branch: master

Vulnerability Details

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's json module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2022-07-05

URL: CVE-2022-31116

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31116

Release Date: 2022-07-05

Fix Resolution: ujson - 5.4.0

⛑️ Automatic Remediation is available for this issue
@mend-for-github-com mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants