Headline
CVE-2022-41875: Remote Code Execution in Optica
A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function oj.load was changed to oj.safe_load.
On the 26th of July 2022, the GitHub Security Lab reported to Airbnb a remote code execution (RCE) vulnerability in Optica that allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
A patched version of Optica was released 28th of July 2022.
Impact
Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica.
Patches
The vulnerability was patched in v. 0.10.2, where the call to the function oj.load was changed to oj.safe_load.
Workarounds
None, it is recommended that users upgrade to the newest version.
References
- https://github.com/ohler55/oj/blob/develop/pages/Security.md
- https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_load
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Optica repository
- Email us at [email protected]