Advisories » MGASA-2024-0371

Updated rapidjson packages fix security vulnerability

Publication date: 27 Nov 2024
Modification date: 27 Nov 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-38517

Description

Tencent RapidJSON is vulnerable to privilege escalation due to an
integer underflow in the `GenericReader::ParseNumber()` function of
`include/rapidjson/reader.h` when parsing JSON text from a stream. An
attacker needs to send the victim a crafted file which needs to be
opened; this triggers the integer underflow vulnerability (when the file
is parsed), leading to elevation of privilege. (CVE-2024-38517)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33803
• https://ubuntu.com/security/notices/USN-7125-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38517

SRPMS

9/core

• rapidjson-1.1.0-6.1.mga9