CVE-2021-45958
Ubuntu Security Notice USN-6629-2
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
UltraJSON (también conocido como ujson) a través de 5.1.0 tiene un desbordamiento de búfer basado en pila en Buffer_AppendIndentUnchecked (llamado desde encode). La explotación puede, por ejemplo, utilizar una gran cantidad de sangría
USN-6629-1 fixed vulnerabilities in UltraJSON. This update provides the corresponding updates for Ubuntu 20.04 LTS. It was discovered that UltraJSON incorrectly handled certain input with a large amount of indentation. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jake Miller discovered that UltraJSON incorrectly decoded certain characters. An attacker could possibly use this issue to cause key confusion and overwrite values in dictionaries. It was discovered that UltraJSON incorrectly handled an error when reallocating a buffer for string decoding. An attacker could possibly use this issue to corrupt memory.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-12-31 CVE Reserved
- 2021-12-31 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-787: Out-of-bounds Write
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/02/msg00023.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 | 2024-08-04 | |
| https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml | 2024-08-04 | |
| https://github.com/ultrajson/ultrajson/issues/501 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284 | 2023-11-07 | |
| https://github.com/ultrajson/ultrajson/pull/504 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ultrajson Project Search vendor "Ultrajson Project" | Ultrajson Search vendor "Ultrajson Project" for product "Ultrajson" | < 5.2.0 Search vendor "Ultrajson Project" for product "Ultrajson" and version " < 5.2.0" | python |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||