Hello,ruby-yajl include a old version of yajl 1.01.12
I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
is affected. There is no direct dependency on yajl, where the vulnerability was detected.
Should ruby-yajl be unmarked as affected by this CVE?
Thank you
Anton
Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a crit :
Hello,
I am looking into CVE-2023-33460 and I am not sure that ruby-yajlruby-yajl include a old version of yajl 1.01.12
is affected. There is no direct dependency on yajl, where the vulnerability was detected.
The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010
On Wed, Jul 05, 2023 at 09:06:15AM +0000, Bastien Roucaričs wrote:
Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
Hello,
vulnerabilityI am looking into CVE-2023-33460 and I am not sure that ruby-yajl
is affected. There is no direct dependency on yajl, where the
was detected.ruby-yajl include a old version of yajl 1.01.12
The vuln code was introduced byhttps://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010
This matches my investation, however, a small correction: This commit is already part of version 2.0.0.
I've added note in data/CVE/list accordingly.
--
Cheers,
tobi
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 09:31:22 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,273 |