CVE-2023-33460

Published: Jun 6, 2023Modified: Jan 8, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.

Affected (4)

Products: Yajl Project: Yajl · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yajl Project Yajl	Version 2.1.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 37
Fedoraproject Fedora	Version 38

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-401

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (14)

https://github.com/lloyd/yajl/issues/250

Source: cve@mitre.org

ExploitIssue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/07/msg00000.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBUUHG27RM4ROEYKMVRROR27AX6R63MB/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J/

Source: cve@mitre.org

https://github.com/lloyd/yajl/issues/250