CVE-2022-3433

Exploit

EPSS 0.15%
Published 10.10.2022 22:15:10
Last modified 21.11.2024 07:19:30
Source secalert@redhat.com
Teams watchlist Login
Open Login

The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a denial of service.

Affected products Warnungen 0 Metrics 2 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Haskell ≫ Aeson Version < 2.0.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.367

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

CWE-328 Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

https://cs-syd.eu/posts/2021-09-11-json-vulnerability

Patch

Third Party Advisory

Exploit

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2022-3433

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-3433

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-3433

EUVD