Vulnerability DatabaseCVE-2023-33460

CVE-2023-33460:
NixOS vulnerability analysis and mitigation

Overview

A memory leak vulnerability was discovered in yajl version 2.1.0, specifically in the yajltreeparse function. The vulnerability was assigned CVE-2023-33460 and was first reported in May 2023. This issue affects the YAJL (Yet Another JSON Library) parser, which is a small event-driven JSON parser written in ANSI C (Github Issue).

Technical details

The vulnerability stems from a memory leak in the yajltreeparse function implementation. When processing certain JSON inputs, the function fails to properly free allocated memory, leading to resource exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no privileges required (NVD).

Impact

The memory leak can cause the server to run out of memory and eventually crash, resulting in a denial of service condition. This impact is particularly significant for long-running server processes that process JSON data (Debian LTS).

Mitigation and workarounds

Multiple distributions have released patches to address this vulnerability. Debian has released fixes in versions 2.1.0-2+deb10u1 and 2.1.0-3+deb10u2 (Debian LTS). Fedora has addressed the issue in version 2.1.0-21 for both Fedora 37 and 38 (Fedora Update).

Additional resources

Source: This report was generated using AI

6.5

Score

Published June 6, 2023

Severity MEDIUM

CNA Score 6.5

Affected Technologies

NixOS
Rocky Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 32

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

libyajl2
libyajl-devel-static

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Nov 28, 2023
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Nov 16, 2023
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, edge Severity MEDIUMHas FixAdded at: Dec 03, 2023
- Alpine 3.19, 3.20 Severity MEDIUMHas FixAdded at: Jun 12, 2024
- Alpine 3.21 Severity MEDIUMHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity MEDIUMHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 1.0 Severity MEDIUMHas FixAdded at: Jul 31, 2023
- CBL-Mariner 2.0 Severity MEDIUMHas FixAdded at: Jul 01, 2023
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: May 04, 2025
Chainguard
- Chainguard Has FixAdded at: Jul 23, 2023
Debian Security Tracker
- Debian 10, 11, 12 Severity MEDIUMHas FixAdded at: Jun 10, 2023
- Debian 13 Severity MEDIUMHas FixAdded at: Jun 11, 2023
Homebrew
- Homebrew Severity MEDIUMNo FixAdded at: Feb 12, 2024
Nix
- Nix Severity MEDIUMNo FixAdded at: Nov 01, 2023
Photon Security Advisory
- Photon 5.0 Severity MEDIUMHas FixAdded at: Oct 02, 2023
Red Hat Errata
- Red Hat 7 Severity MEDIUMNo FixAdded at: Jul 16, 2023
- Red Hat 8 Severity MEDIUMHas FixAdded at: Jul 16, 2023
- Red Hat 9 Severity MEDIUMHas FixAdded at: Jul 16, 2023
Rocky Linux Product Errata
- Rocky 8 Severity MEDIUMHas FixAdded at: Dec 03, 2023
- Rocky 9 Severity MEDIUMHas FixAdded at: May 12, 2024
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04, 20.04, 22.04, 23.04 Severity LOWHas FixAdded at: Jun 10, 2023
- Ubuntu 18.04 Severity LOWHas FixAdded at: Nov 13, 2023
Wolfi
- Wolfi Has FixAdded at: Jul 20, 2023