[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2023-33460, ruby-yajl affected?

Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> Hello,
> I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> is affected. There is no direct dependency on yajl, where the vulnerability
> was detected.
ruby-yajl include a old version of yajl 1.01.12

The vuln code was introduced by https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb in version 2.1.0 in 2010

Now the question is why this package use a so old version

> Should ruby-yajl be unmarked as affected by this CVE?
> Thank you
> Anton

Reply to: