CVE-2022-31116

Incorrect handling of invalid surrogate pair characters in ujson

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

UltraJSON es un codificador y decodificador JSON rápido escrito en C puro con enlaces para Python versiones 3.7+. Se encontró que las versiones afectadas descodificaban incorrectamente determinados caracteres. Las cadenas JSON que contienen caracteres suplentes escapados que no forman parte de un par suplente adecuado se decodificaron incorrectamente. Además de corromper las cadenas, esto permitió una posible confusión de claves y sobrescritura de valores en los diccionarios. Todos los usuarios que analizan JSON de fuentes que no son de confianza son vulnerables. A partir de la versión 5.4.0, UltraJSON decodifica sustitutos solitarios de la misma manera que lo hace el módulo "json" de la biblioteca estándar, conservándolos en la salida analizada. Se recomienda a los usuarios que actualicen. No se conocen mitigaciones adicionales para este problema

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-07-05 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-09-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-228: Improper Handling of Syntactically Invalid Structure
CWE-670: Always-Incorrect Control Flow Implementation

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r	2024-08-03

URL	Date	SRC
https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-31116	2022-12-07
https://bugzilla.redhat.com/show_bug.cgi?id=2104740	2022-12-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ultrajson Project Search vendor "Ultrajson Project"		Ultrajson Search vendor "Ultrajson Project" for product "Ultrajson"				< 5.4.0 Search vendor "Ultrajson Project" for product "Ultrajson" and version " < 5.4.0"		python		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected