CVE-2024-31755: 
NixOS vulnerability analysis and mitigation

A segmentation violation vulnerability was discovered in cJSON version 1.7.17, identified as CVE-2024-31755. The vulnerability is triggered through the second parameter of the function cJSON_SetValuestring in cJSON.c. This security issue was initially reported on April 25, 2024, and affects the cJSON library, a lightweight JSON parser for C (NVD, MITRE).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476). The issue occurs when a NULL valuestring is passed to the cJSON_SetValuestring function, leading to a null pointer dereference in the strlen comparison operation. The CVSS v3.1 base score is 7.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (NVD).

The vulnerability can potentially cause a denial of service (DoS) condition through segmentation faults when exploited. The impact affects the availability, confidentiality, and integrity of systems using the vulnerable cJSON library version (GitHub Issue).

Several Linux distributions have released fixes for this vulnerability. Ubuntu has patched multiple versions: 24.04 LTS (noble) with version 1.7.17-1ubuntu0.1~esm2, 23.10 (mantic) with version 1.7.16-1ubuntu0.2, and 22.04 LTS (jammy) with version 1.7.15-1ubuntu0.1~esm2. Debian has also released fixes for bullseye (1.7.14-1+deb11u1), bookworm (1.7.15-1+deb12u2), and sid/trixie (1.7.18-3) (Ubuntu Security, Debian Tracker).