CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-31116 – Incorrect handling of invalid surrogate pair characters in ujson
https://notcve.org/view.php?id=CVE-2022-31116
05 Jul 2022 — UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. • https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687 • CWE-228: Improper Handling of Syntactically Invalid Structure CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31117 – Double free of buffer during string decoding in ujson
https://notcve.org/view.php?id=CVE-2022-31117
05 Jul 2022 — UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue. • https://github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b • CWE-415: Double Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 3CVE-2021-45958 – Ubuntu Security Notice USN-6629-2
https://notcve.org/view.php?id=CVE-2021-45958
31 Dec 2021 — UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation. UltraJSON (también conocido como ujson) a través de 5.1.0 tiene un desbordamiento de búfer basado en pila en Buffer_AppendIndentUnchecked (llamado desde encode). La explotación puede, por ejemplo, utilizar una gran cantidad de sangría USN-6629-1 fixed vulnerabilities in UltraJSON. This update provides the corresponding u... • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 • CWE-787: Out-of-bounds Write •