CVE Vulnerabilities

CVE-2017-16516

Use of Externally-Controlled Format String

Published: Nov 03, 2017 | Modified: Apr 20, 2025
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name Vendor Start Version End Version
Yajl-ruby Yajl-ruby_project 1.3.0 (including) 1.3.0 (including)
Ruby-yajl Ubuntu artful *
Ruby-yajl Ubuntu esm-apps/xenial *
Ruby-yajl Ubuntu trusty *
Ruby-yajl Ubuntu upstream *
Ruby-yajl Ubuntu xenial *
Ruby-yajl Ubuntu zesty *
Yajl Ubuntu artful *
Yajl Ubuntu bionic *
Yajl Ubuntu cosmic *
Yajl Ubuntu disco *
Yajl Ubuntu eoan *
Yajl Ubuntu esm-infra-legacy/trusty *
Yajl Ubuntu esm-infra/bionic *
Yajl Ubuntu esm-infra/focal *
Yajl Ubuntu esm-infra/xenial *
Yajl Ubuntu focal *
Yajl Ubuntu groovy *
Yajl Ubuntu hirsute *
Yajl Ubuntu impish *
Yajl Ubuntu jammy *
Yajl Ubuntu kinetic *
Yajl Ubuntu lunar *
Yajl Ubuntu precise/esm *
Yajl Ubuntu trusty *
Yajl Ubuntu trusty/esm *
Yajl Ubuntu upstream *
Yajl Ubuntu xenial *
Yajl Ubuntu zesty *

Potential Mitigations

References