Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41875: Remote Code Execution in Optica

A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function oj.load was changed to oj.safe_load.

CVE
#vulnerability#js#git#rce#auth#ruby

On the 26th of July 2022, the GitHub Security Lab reported to Airbnb a remote code execution (RCE) vulnerability in Optica that allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

A patched version of Optica was released 28th of July 2022.

Impact

Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica.

Patches

The vulnerability was patched in v. 0.10.2, where the call to the function oj.load was changed to oj.safe_load.

Workarounds

None, it is recommended that users upgrade to the newest version.

References

  • https://github.com/ohler55/oj/blob/develop/pages/Security.md
  • https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_load

For more information

If you have any questions or comments about this advisory:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907