ALT-PU-2023-2730-1
Package gem-jmespath updated to version 1.6.2-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Published: 2022-06-06
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-32511
jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.
Severity: HIGH (7.5)
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
- https://github.com/jmespath/jmespath.rb/pull/55
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/
- https://stackoverflow.com/a/30050571/580231
- https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
- https://github.com/jmespath/jmespath.rb/pull/55
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/
- https://stackoverflow.com/a/30050571/580231