CVE-2024-0727
Deserialization of Untrusted Data vulnerability in cryptography (PyPI)
What is CVE-2024-0727 About?
This vulnerability in the 'com.jsoniter:jsoniter' package concerns Deserialization of Untrusted Data via malicious JSON strings. It can lead to a Denial of Service and, in some cases, remote code execution. Exploitation could be straightforward for an attacker able to provide malicious JSON input.
Affected Software
Technical Details
The vulnerability affects all versions of the 'com.jsoniter:jsoniter' package. It stems from the unsafe deserialization of untrusted JSON data. When the package processes malicious JSON strings, it fails to properly validate or sanitize the input during the deserialization process. This flaw allows an attacker to inject specially crafted data that, when deserialized, can trigger unexpected behavior within the application. In the best-case scenario, this could lead to a Denial of Service by causing the application to crash or consume excessive resources. In a more severe scenario, if the deserialized data includes executable code or controls vulnerable application logic, it could result in arbitrary code execution.
What is the Impact of CVE-2024-0727?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application or cause the application to become unresponsive, leading to data manipulation, system compromise, or service interruption.
What is the Exploitability of CVE-2024-0727?
Exploitation requires the ability to provide untrusted, malicious JSON strings to an application using the vulnerable com.jsoniter:jsoniter package. The complexity level is low to moderate, depending on the application's input validation mechanisms. No specific authentication or high privilege levels are inherently required for exploitation, as the vulnerability typically resides in the data processing layer. This is generally a remote vulnerability as the attacker sends the malicious JSON over a network. The likelihood of exploitation increases in applications that accept and deserialize JSON input from external, unauthenticated, or untrusted sources without robust input validation or whitelisting of acceptable types and values.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-0727?
Available Upgrade Options
- cryptography
- <42.0.2 → Upgrade to 42.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a
- https://www.openssl.org/news/secadv/20240125.txt
- https://github.com/github/advisory-database/pull/3472
- https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://github.com/openssl/openssl/pull/23362
- https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539
- https://osv.dev/vulnerability/GHSA-9v9h-cgj8-h64p
- https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2
- https://security.netapp.com/advisory/ntap-20240208-0006
What are Similar Vulnerabilities to CVE-2024-0727?
Similar Vulnerabilities: CVE-2020-11104 , CVE-2020-11105 , CVE-2020-11106 , CVE-2019-10086 , CVE-2017-7525
