Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

CVE-2023-33460, ruby-yajl affected?

0 views

Skip to first unread message

Anton Gladky

unread,

Jul 5, 2023, 1:00:04 AM7/5/23

Hello,

I am looking into CVE-2023-33460 and I am not sure that ruby-yajl

is affected. There is no direct dependency on yajl, where the vulnerability

was detected.

Should ruby-yajl be unmarked as affected by this CVE?

Thank you

Anton

Bastien Roucariès

unread,

Jul 5, 2023, 5:40:04 AM7/5/23

Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> Hello,
>
> I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> is affected. There is no direct dependency on yajl, where the vulnerability
> was detected.

ruby-yajl include a old version of yajl 1.01.12

The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

Now the question is why this package use a so old version

Bastien

Tobias Frost

unread,

Jul 5, 2023, 12:20:03 PM7/5/23

On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucaričs wrote:
> Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> > Hello,
> >
> > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> > is affected. There is no direct dependency on yajl, where the vulnerability
> > was detected.
> ruby-yajl include a old version of yajl 1.01.12
>
> The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

This matches my investation, however, a small correction: This commit is already part of version 2.0.0.

I've added note in data/CVE/list accordingly.

--
Cheers,
tobi

Anton Gladky

unread,

Jul 6, 2023, 12:30:04 AM7/6/23

Thanks all for the discussion.

@Tobias, thanks for marking the CVE in the list.

Best regards

Anton

0 new messages