Burp Project Burp vulnerabilities

CVE-2022-24795 [HIGH] CVE-2022-24795: yajl-ruby is a C binding to the YAJL JSON parsing and generation library yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of

CVE-2017-18284 [HIGH] CWE-732 CVE-2017-18284: The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the burp account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL.

CVE-2017-18285 [HIGH] CWE-732 CVE-2017-18285: The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp dire The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp directory, which might allow local users to obtain read and write access to arbitrary files by leveraging access to a certain account for a burp-server.conf change.

CVE-2017-16516 [HIGH] CVE-2017-16516: In the yajl-ruby gem 1 In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.