CVE-2022-41875
high-risk
Published 2022-11-23
A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function `oj.load` was changed to `oj.safe_load`.
Do I need to act?
!
15.1% chance of exploitation in next 30 days
EPSS score — higher than 85% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 3af123cfa896838cde60a6e9a88384f9ffcee06d
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Third Party Advisory
https://github.com/airbnb/optica/security/advisories/GHSA-cf87-4h6x-phh6
Third Party Advisory
https://github.com/ohler55/oj/blob/develop/pages/Security.md
Release Notes
https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_load
Third Party Advisory
https://github.com/airbnb/optica/security/advisories/GHSA-cf87-4h6x-phh6
Third Party Advisory
https://github.com/ohler55/oj/blob/develop/pages/Security.md
Release Notes
https://www.rubydoc.info/gems/oj/3.0.2/Oj.safe_load
51
/ 100
high-risk
Severity
33/34 · Critical
Exploitability
13/34 · Low
Exposure
5/34 · Minimal