CVE-2022-48623

Vulnerability

In the Cpanel::JSON::XS Perl module, versions prior to 4.33 contain out-of-bounds memory accesses [1]. The flaw resides in the JSON parsing logic and can be triggered when processing specially crafted input. No special configuration is required; the vulnerable code path is reachable during normal JSON decoding operations. Affected versions include all releases before 4.33 [1].

Exploitation

An attacker can exploit this vulnerability by supplying a malicious JSON payload to an application that uses Cpanel::JSON::XS to parse untrusted data. No authentication or elevated privileges are required; the attacker only needs network access to deliver the payload. The out-of-bounds access occurs during parsing, and the attack can be performed remotely without user interaction.

Impact

Successful exploitation allows an attacker to read sensitive information from memory beyond the intended buffer (information disclosure) or cause the application to crash, resulting in a denial of service (DoS). The exact impact depends on how the module is used, but both confidentiality and availability are potentially compromised.

Mitigation

The vulnerability is fixed in version 4.33 of Cpanel::JSON::XS [1]. Users should upgrade to 4.33 or later immediately. There is no known workaround short of updating the module. The package is not known to be listed on CISA's KEV.