From f2dc67afe06a0669eab4d9bb8b1ae59b6721def8 Mon Sep 17 00:00:00 2001 From: Tyler Finethy Date: Thu, 5 Oct 2023 10:26:26 -0400 Subject: [PATCH] Add `jsonlite` CRAN package as `RSEC-2023-3` (#3) * Add `jsonlite` CRAN package as `RSEC-2023-3` Additional information is provided in https://github.com/jeroen/jsonlite/pull/421 * Fix: jsonlite versions must be strings --- latest-id.txt | 2 +- vulns/jsonlite/RSEC-2023-3.yaml | 60 +++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 vulns/jsonlite/RSEC-2023-3.yaml diff --git a/latest-id.txt b/latest-id.txt index 923736b..a6ac50c 100644 --- a/latest-id.txt +++ b/latest-id.txt @@ -1 +1 @@ -2023-2 +2023-3 diff --git a/vulns/jsonlite/RSEC-2023-3.yaml b/vulns/jsonlite/RSEC-2023-3.yaml new file mode 100644 index 0000000..4eb3b8c --- /dev/null +++ b/vulns/jsonlite/RSEC-2023-3.yaml @@ -0,0 +1,60 @@ +id: RSEC-2023-3 +details: The jsonlite R package is exposed to a vulnerability due to its use of yajl library version 2.1.0. + The vulnerability originates from the yajl_tree_parse function within yajl. Attackers can exploit this flaw + to cause a memory leak, which will result in out-of-memory in server and lead to a crash. +affected: +- package: + name: jsonlite + ecosystem: CRAN + ranges: + - type: ECOSYSTEM + events: + - introduced: 0.9.12 + versions: + - 0.9.12 + - 0.9.13 + - 0.9.14 + - 0.9.15 + - 0.9.16 + - 0.9.17 + - 0.9.18 + - 0.9.19 + - 0.9.20 + - 0.9.21 + - 0.9.22 + - "1.0" + - "1.1" + - "1.2" + - "1.3" + - "1.4" + - "1.5" + - "1.6" + - 1.6.1 + - 1.7.0 + - 1.7.2 + - 1.7.3 + - 1.8.0 + - 1.8.1 + - 1.8.2 + - 1.8.3 + - 1.8.4 + - 1.8.5 + - 1.8.6 + - 1.8.7 +references: +- type: WEB + url: https://github.com/jeroen/jsonlite/pull/421 +- type: WEB + url: https://nvd.nist.gov/vuln/detail/CVE-2023-33460 +- type: WEB + url: https://github.com/lloyd/yajl/issues/250 +- type: WEB + url: https://lists.debian.org/debian-lts-announce/2023/07/msg00000.html +- type: WEB + url: https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html +- type: WEB + url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/ +aliases: +- CVE-2023-33460 +modified: "2023-07-18T04:37:21.600Z" +published: "2023-07-18T04:37:21.600Z"