Vulnerability Description
A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function `oj.load` was changed to `oj.safe_load`.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Airbnb | Optica | < 0.10.2 |
Related Weaknesses (CWE)
References
- https://github.com/airbnb/optica/security/advisories/GHSA-cf87-4h6x-phh6Third Party Advisory
- https://github.com/ohler55/oj/blob/develop/pages/Security.mdThird Party Advisory
- https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_loadRelease NotesVendor Advisory
- https://github.com/airbnb/optica/security/advisories/GHSA-cf87-4h6x-phh6Third Party Advisory
- https://github.com/ohler55/oj/blob/develop/pages/Security.mdThird Party Advisory
- https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_loadRelease NotesVendor Advisory
FAQ
What is CVE-2022-41875?
CVE-2022-41875 is a vulnerability with a CVSS score of 10.0 (CRITICAL). A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (r...
How severe is CVE-2022-41875?
CVE-2022-41875 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-41875?
Check the references section above for vendor advisories and patch information. Affected products include: Airbnb Optica.