Описание
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.
A flaw was found in cbor2. When a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory. This allows an attacker-controlled message to read sensitive data from previously decoded messages if the decoder is reused across trust boundaries, leading to information disclosure.
Отчет
This vulnerability is rated Moderate for Red Hat products. The flaw in cbor2 allows information disclosure if a CBORDecoder instance is reused across trust boundaries. This could lead to an attacker-controlled message reading sensitive data from previously decoded messages. This affects Red Hat AI Inference Server, Red Hat Enterprise Linux AI, and Red Hat OpenShift AI when processing untrusted CBOR data with a reused decoder.
Меры по смягчению последствий
To mitigate this issue, applications utilizing the cbor2 library should avoid reusing CBORDecoder instances when processing data from different trust levels. If CBORDecoder reuse is unavoidable, ensure that sensitive data is not processed by a decoder instance that will subsequently handle untrusted input. This operational control prevents an attacker from accessing prior decoded information.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AI Inference Server | rhaiis/vllm-rocm-rhel9 | Affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-spyre-rhel9 | Affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-tpu-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-aws-cuda-rhel9 | Out of support scope | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-azure-cuda-rhel9 | Out of support scope | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-cuda-rhel9 | Out of support scope | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-gcp-cuda-rhel9 | Out of support scope | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-vllm-cpu-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-vllm-cuda-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-vllm-rocm-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.
cbor2 provides encoding and decoding for the Concise Binary Object Rep ...
CBORDecoder reuse can leak shareable values across decode calls
5.3 Medium
CVSS3