CVE-2017-16516
Severity CVSS v4.0:
Pending analysis
Type:
CWE-134
Format String Vulnerability
Publication date:
03/11/2017
Last modified:
20/04/2025
Description
In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:yajl-ruby_project:yajl-ruby:1.3.0:*:*:*:*:ruby:*:* | ||
| cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/brianmario/yajl-ruby/issues/176
- https://lists.debian.org/debian-lts-announce/2017/11/msg00010.html
- https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
- https://rubygems.org/gems/yajl-ruby
- https://github.com/brianmario/yajl-ruby/issues/176
- https://lists.debian.org/debian-lts-announce/2017/11/msg00010.html
- https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html
- https://rubygems.org/gems/yajl-ruby