CVE-2024-27322

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/29/3
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://https://kb.cert.org/vuls/id/238194
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/
https://www.kb.cert.org/vuls/id/238194

Configurations

No configuration.

History

No history.

Information

Published : 2024-04-29 13:15

Updated : 2024-06-10 18:15

NVD link : CVE-2024-27322

Mitre link : CVE-2024-27322

CVE.ORG link : CVE-2024-27322

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2024-27322", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-04-29T13:15:30.413", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/04/29/3", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}, {"url": "https://hiddenlayer.com/research/r-bitrary-code-execution/", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}, {"url": "https://https://kb.cert.org/vuls/id/238194", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}, {"url": "https://www.kb.cert.org/vuls/id/238194", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.\n"}, {"lang": "es", "value": "La deserializaci\u00f3n de datos que no son de confianza puede ocurrir en el lenguaje de programaci\u00f3n estad\u00edstica R, en cualquier versi\u00f3n desde 1.4.0 hasta 4.4.0 incluida, lo que permite que un archivo con formato RDS (R Data Serialization) creado con fines malintencionados o un paquete R ejecute c\u00f3digo arbitrario en el sistema de un usuario final cuando se interact\u00faa con \u00e9l."}], "lastModified": "2024-06-10T18:15:28.103", "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}