Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SNYK: High] Out-of-Bounds Write (Due 03/18/2022) #5058

Closed
3 tasks done
patphongs opened this issue Feb 16, 2022 · 1 comment · Fixed by #5109
Closed
3 tasks done

[SNYK: High] Out-of-Bounds Write (Due 03/18/2022) #5058

patphongs opened this issue Feb 16, 2022 · 1 comment · Fixed by #5109
Assignees
@fec-jli
Labels
Security: high Remediate within 30 days
Milestone
PI 17 innovation

Comments

@patphongs
Copy link
Member

patphongs commented Feb 16, 2022
edited by fec-jli

Affected versions of this package are vulnerable to Out-of-Bounds Write via a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).

https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2359034

How to fix?
There is no fixed version for ujson.

No remediation path currently, as of 2/28/22.

Completion criteria:

  • Updated with remediation path if one becomes available during sprint
  • If not remediation path by 3/14 notify security team and push to next sprint. ("We use ujson for X, etc.)
  • solved in Upgrade Ujson to 520 #5109
@patphongs patphongs added this to the Sprint 17.4 milestone Feb 16, 2022
@patphongs patphongs mentioned this issue Feb 16, 2022
Closed
@pkfec pkfec mentioned this issue Feb 23, 2022
Closed
@JonellaCulmer JonellaCulmer added the Security: high Remediate within 30 days label Feb 24, 2022
@fec-jli fec-jli mentioned this issue Mar 2, 2022
Closed
@hcaofec hcaofec mentioned this issue Mar 9, 2022
Closed
1 task
@fec-jli fec-jli mentioned this issue Mar 10, 2022
Closed
@fec-jli fec-jli modified the milestones: Sprint 17.4, Sprint 17.5 Mar 10, 2022
@hcaofec hcaofec mentioned this issue Mar 16, 2022
Closed
@cnlucas cnlucas mentioned this issue Mar 23, 2022
Closed
1 task
@cnlucas cnlucas modified the milestones: Sprint 17.5, Sprint 17.6 Mar 23, 2022
@cnlucas cnlucas mentioned this issue Mar 30, 2022
Closed
@pkfec
Copy link
Contributor

pkfec commented Apr 21, 2022

@fec-jli Remediation path for ujson is now available. You may upgrade to 5.2.0 or higher
https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2359034

cc @patphongs

@fec-jli fec-jli mentioned this issue Apr 22, 2022
Merged
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fec-jli fec-jli

Labels
Security: high Remediate within 30 days
Projects
None yet
Milestone
PI 17 innovation
5 participants
@pkfec @patphongs @fec-jli @JonellaCulmer @cnlucas