Vulnerability Description
In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yajl-Ruby Project | Yajl-Ruby | 1.3.0 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- https://github.com/brianmario/yajl-ruby/issues/176ExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2017/11/msg00010.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
- https://rubygems.org/gems/yajl-rubyThird Party Advisory
- https://github.com/brianmario/yajl-ruby/issues/176ExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2017/11/msg00010.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
- https://rubygems.org/gems/yajl-rubyThird Party Advisory
FAQ
What is CVE-2017-16516?
CVE-2017-16516 is a vulnerability with a CVSS score of 7.5 (HIGH). In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. ...
How severe is CVE-2017-16516?
CVE-2017-16516 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-16516?
Check the references section above for vendor advisories and patch information. Affected products include: Yajl-Ruby Project Yajl-Ruby, Debian Debian Linux.