CVE-2024-27322
Published: 29 April 2024
Summary
CVE-2024-27322 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fedoraproject (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-27322 is a deserialization of untrusted data vulnerability in the R statistical programming language affecting all versions from 1.4.0 up to but not including 4.4.0. It resides in the handling of RDS-formatted files and R packages, where untrusted serialized data can trigger arbitrary code execution upon interaction. The flaw is tracked under CWE-502 and carries a CVSS 3.1 score of 8.8.
An attacker can supply a maliciously crafted RDS file or R package that, when opened or loaded by an end user, executes arbitrary code on the victim system with the privileges of the R process. Exploitation requires user interaction such as loading the file or package but needs no other authentication or special network position.
Advisories referenced in the CERT coordination entry, Openwall oss-security list, HiddenLayer research disclosure, and Fedora package-announce lists describe the issue and point to updated R builds that remediate the deserialization behavior.
EPSS for the CVE rose from lower values to a peak of 0.0780 before receding to the current 0.0453, indicating measurable post-disclosure exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24532
Vulnerability details
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary…
more
code on an end user’s system when interacted with.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.