CVE-2017-16516 — Use of Externally-Controlled Format String in Project Yajl-ruby

CWE-134 — Use of Externally-Controlled Format String CWE-20 — Improper Input Validation11 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.7%

top 17.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Burp Project Burp Yajl-ruby Project Yajl-ruby Debian Burp +6 more

Timeline

PublishedNov 3

Latest updateDec 14

Description

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

▶debiandebian/ruby-yajl< burp 3.1.4-2 (forky)

▶RubyGemsyajl-ruby_project/yajl-ruby< 1.3.1

▶NVDyajl-ruby_project/yajl-ruby1.3.0

▶debiandebian/yajl< burp 3.1.4-2 (forky)

▶debiandebian/r-cran-jsonlite< burp 3.1.4-2 (forky)

Also affects: Debian Linux 7.0

🔴Vulnerability Details

OSV

yajl vulnerabilities↗2023-12-14

▶

OSV

yajl vulnerabilities↗2023-07-18

▶

GHSA

yajl-ruby gem Denial of Service vulnerability↗2017-11-28

▶

OSV

yajl-ruby gem Denial of Service vulnerability↗2017-11-28

▶

OSV

CVE-2017-16516: In the yajl-ruby gem 1↗2017-11-03

▶

📋Vendor Advisories

Ubuntu

YAJL vulnerabilities↗2023-12-14

▶

Ubuntu

YAJL vulnerabilities↗2023-07-18

▶

Red Hat

rubygem-yajl-ruby: Yajl:: Parser.new.parse incorrect parsing↗2017-11-02

▶

Debian

CVE-2017-16516: burp - In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yaj...↗2017

▶

💬Community

Bugzilla

CVE-2017-16516 rubygem-yajl-ruby: Yajl::Parser.new.parse incorrect parsing↗2017-12-11

▶