CVE-2024-27322 - OpenCVE

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/29/3
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://https://kb.cert.org/vuls/id/238194
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/
https://www.kb.cert.org/vuls/id/238194

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HiddenLayer

Published: 2024-04-29T13:02:37.062Z

Updated: 2024-04-29T20:11:23.096Z

Reserved: 2024-02-23T16:59:23.011Z

Link: CVE-2024-27322

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-29T13:15:30.413

Modified: 2024-06-10T18:15:28.103

Link: CVE-2024-27322

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-27322", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "state": "PUBLISHED", "assignerShortName": "HiddenLayer", "dateReserved": "2024-02-23T16:59:23.011Z", "datePublished": "2024-04-29T13:02:37.062Z", "dateUpdated": "2024-04-29T20:11:23.096Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "R", "vendor": "The R Project", "versions": [{"lessThan": "4.4.0", "status": "affected", "version": "1.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.</span><br>"}], "value": "Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.\n"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2024-04-29T20:11:23.096Z"}, "references": [{"url": "https://hiddenlayer.com/research/r-bitrary-code-execution/"}, {"url": "https://https://kb.cert.org/vuls/id/238194"}, {"url": "https://www.kb.cert.org/vuls/id/238194"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/29/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27322", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T20:54:11.018338Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:r_project:r:1.4.0:*:*:*:*:*:*:*"], "vendor": "r_project", "product": "r", "versions": [{"status": "affected", "version": "1.4.0", "lessThan": "4.4.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:47:05.511Z"}}]}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.\n"}, {"lang": "es", "value": "La deserializaci\u00f3n de datos que no son de confianza puede ocurrir en el lenguaje de programaci\u00f3n estad\u00edstica R, en cualquier versi\u00f3n desde 1.4.0 hasta 4.4.0 incluida, lo que permite que un archivo con formato RDS (R Data Serialization) creado con fines malintencionados o un paquete R ejecute c\u00f3digo arbitrario en el sistema de un usuario final cuando se interact\u00faa con \u00e9l."}], "id": "CVE-2024-27322", "lastModified": "2024-06-10T18:15:28.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}, "published": "2024-04-29T13:15:30.413", "references": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "http://www.openwall.com/lists/oss-security/2024/04/29/3"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://hiddenlayer.com/research/r-bitrary-code-execution/"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://https://kb.cert.org/vuls/id/238194"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://www.kb.cert.org/vuls/id/238194"}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}