Описание
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| r-base | fixed | 4.4.0-2 | package |
Примечания
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://kb.cert.org/vuls/id/238194
https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch
https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7
https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html
Not considered a security issue by R Core (upstream) and the R Foundation.
Связанные уязвимости
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Уязвимость интерпретатора языка программирования R, связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код в целевой системе