CVE-2023-33460: 
NixOS vulnerability analysis and mitigation

A memory leak vulnerability was discovered in yajl version 2.1.0, specifically in the yajl_tree_parse function. The vulnerability was assigned CVE-2023-33460 and was first reported in May 2023. This issue affects the YAJL (Yet Another JSON Library) parser, which is a small event-driven JSON parser written in ANSI C (Github Issue).

The vulnerability stems from a memory leak in the yajl_tree_parse function implementation. When processing certain JSON inputs, the function fails to properly free allocated memory, leading to resource exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no privileges required (NVD).

The memory leak can cause the server to run out of memory and eventually crash, resulting in a denial of service condition. This impact is particularly significant for long-running server processes that process JSON data (Debian LTS).

Multiple distributions have released patches to address this vulnerability. Debian has released fixes in versions 2.1.0-2+deb10u1 and 2.1.0-3+deb10u2 (Debian LTS). Fedora has addressed the issue in version 2.1.0-21 for both Fedora 37 and 38 (Fedora Update).