CVE-2024-27322 — Deserialization of Untrusted Data in R Project R

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

8.8HIGHNVD

EPSS

7.6%

top 8.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE R Project R Debian R-base Msrc Azl3 R 4.3.2-2 ON Azure Linux 3.0 +6 more

Timeline

PublishedApr 29

Latest updateApr 30

Description

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

▶debiandebian/r-base< r-base 4.4.0-2 (forky)

▶CVEListV5the_r_project/r1.4.0 — 4.4.0

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

▶msrcmsrc/cbl_mariner_2.0_arm

🔴Vulnerability Details

GHSA

GHSA-82x4-8q4x-2qxv: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1↗2024-04-29

▶

OSV

CVE-2024-27322: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1↗2024-04-29

▶

📋Vendor Advisories

Microsoft

R Language Vulnerable to Arbitrary Code Execution via Malicious RDS Files (v1.4.0–<4.4.0)↗2024-04-09

▶

Debian

CVE-2024-27322: r-base - Deserialization of untrusted data can occur in the R statistical programming lan...↗2024

▶

🕵️Threat Intelligence

Bleepingcomputer

R language flaw allows code execution via RDS/RDX files↗2024-04-30

▶