CVE-2024-27322 - OpenCVE

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/29/3
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://https://kb.cert.org/vuls/id/238194
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/
https://www.kb.cert.org/vuls/id/238194

History

No history.

MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published: 2024-04-29T13:02:37.062Z

Updated: 2024-08-02T00:34:50.976Z

Reserved: 2024-02-23T16:59:23.011Z

Link: CVE-2024-27322

Vulnrichment

Updated: 2024-08-02T00:34:50.976Z

NVD

Status : Awaiting Analysis

Published: 2024-04-29T13:15:30.413

Modified: 2024-06-10T18:15:28.103

Link: CVE-2024-27322

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-27322", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "state": "PUBLISHED", "assignerShortName": "HiddenLayer", "dateReserved": "2024-02-23T16:59:23.011Z", "datePublished": "2024-04-29T13:02:37.062Z", "dateUpdated": "2024-08-02T00:34:50.976Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "R", "vendor": "The R Project", "versions": [{"lessThan": "4.4.0", "status": "affected", "version": "1.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.</span><br>"}], "value": "Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.\n"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2024-04-29T20:11:23.096Z"}, "references": [{"url": "https://hiddenlayer.com/research/r-bitrary-code-execution/"}, {"url": "https://https://kb.cert.org/vuls/id/238194"}, {"url": "https://www.kb.cert.org/vuls/id/238194"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/29/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27322", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T20:54:11.018338Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:r_project:r:1.4.0:*:*:*:*:*:*:*"], "vendor": "r_project", "product": "r", "versions": [{"status": "affected", "version": "1.4.0", "lessThan": "4.4.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:47:05.511Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:50.976Z"}, "title": "CVE Program Container", "references": [{"url": "https://hiddenlayer.com/research/r-bitrary-code-execution/", "tags": ["x_transferred"]}, {"url": "https://https://kb.cert.org/vuls/id/238194", "tags": ["x_transferred"]}, {"url": "https://www.kb.cert.org/vuls/id/238194", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/29/3", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hiddenlayer.com/research/r-bitrary-code-execution/", "tags": ["x_transferred"]}, {"url": "https://https://kb.cert.org/vuls/id/238194", "tags": ["x_transferred"]}, {"url": "https://www.kb.cert.org/vuls/id/238194", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/29/3", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:50.976Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27322", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T20:54:11.018338Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:r_project:r:1.4.0:*:*:*:*:*:*:*"], "vendor": "r_project", "product": "r", "versions": [{"status": "affected", "version": "1.4.0", "lessThan": "4.4.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T13:37:42.561Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The R Project", "product": "R", "versions": [{"status": "affected", "version": "1.4.0", "lessThan": "4.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hiddenlayer.com/research/r-bitrary-code-execution/"}, {"url": "https://https://kb.cert.org/vuls/id/238194"}, {"url": "https://www.kb.cert.org/vuls/id/238194"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/29/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2024-04-29T20:11:23.096Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27322", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:34:50.976Z", "dateReserved": "2024-02-23T16:59:23.011Z", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "datePublished": "2024-04-29T13:02:37.062Z", "assignerShortName": "HiddenLayer"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user\u2019s system when interacted with.\n"}, {"lang": "es", "value": "La deserializaci\u00f3n de datos que no son de confianza puede ocurrir en el lenguaje de programaci\u00f3n estad\u00edstica R, en cualquier versi\u00f3n desde 1.4.0 hasta 4.4.0 incluida, lo que permite que un archivo con formato RDS (R Data Serialization) creado con fines malintencionados o un paquete R ejecute c\u00f3digo arbitrario en el sistema de un usuario final cuando se interact\u00faa con \u00e9l."}], "id": "CVE-2024-27322", "lastModified": "2024-06-10T18:15:28.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}, "published": "2024-04-29T13:15:30.413", "references": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "http://www.openwall.com/lists/oss-security/2024/04/29/3"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://hiddenlayer.com/research/r-bitrary-code-execution/"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://https://kb.cert.org/vuls/id/238194"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://www.kb.cert.org/vuls/id/238194"}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}