Skip to content

Remote Code Execution in Optica

High
deni published GHSA-cf87-4h6x-phh6 Nov 22, 2022

Package

Optica (Ruby)

Affected versions

< 0.10.2

Patched versions

0.10.2

Description

On the 26th of July 2022, the GitHub Security Lab reported to Airbnb a remote code execution (RCE) vulnerability in Optica that allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

A patched version of Optica was released 28th of July 2022.

Impact

Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica.

Patches

The vulnerability was patched in v. 0.10.2, where the call to the function oj.load was changed to oj.safe_load.

Workarounds

None, it is recommended that users upgrade to the newest version.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2022-41875

Weaknesses

No CWEs

Credits