Double Free Affecting python3-ujson package, versions <1.35-150100.3.5.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.19% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Double Free vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-SLES154-PYTHON3UJSON-2975415
  • published5 Aug 2022
  • disclosed4 Aug 2022

Introduced: 4 Aug 2022

CVE-2022-31117  (opens in a new tab)
CWE-415  (opens in a new tab)

How to fix?

Upgrade SLES:15.4 python3-ujson to version 1.35-150100.3.5.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3-ujson package and not the python3-ujson package as distributed by SLES. See How to fix? for SLES:15.4 relevant fixed versions and status.

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.

CVSS Base Scores

version 3.1