scrapedia/scrapy-cookies

CVE-2022-31116 (High) detected in ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl

Opened this issue · 0 comments

CVE-2022-31116 - High Severity Vulnerability

Vulnerable Library - ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl

Ultra fast JSON encoder and decoder for Python

Library home page: https://files.pythonhosted.org/packages/0d/ca/404a902e7fc2d39796b01f72e90a2b32e7ca25a3708bcf1d602ccf9e3658/ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/scrapy-cookies

Path to vulnerable library: /scrapy-cookies

Dependency Hierarchy:

  • ujson-2.0.3-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's json module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2022-07-05

URL: CVE-2022-31116

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31116

Release Date: 2022-07-05

Fix Resolution: 5.4.0


Step up your Open Source Security Game with Mend here