UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
{
"binaries": [
{
"binary_name": "python-pandas",
"binary_version": "0.13.1-2ubuntu2"
},
{
"binary_name": "python-pandas-lib",
"binary_version": "0.13.1-2ubuntu2"
},
{
"binary_name": "python3-pandas",
"binary_version": "0.13.1-2ubuntu2"
},
{
"binary_name": "python3-pandas-lib",
"binary_version": "0.13.1-2ubuntu2"
}
]
}{
"binaries": [
{
"binary_name": "python-pandas",
"binary_version": "0.17.1-3ubuntu2"
},
{
"binary_name": "python-pandas-lib",
"binary_version": "0.17.1-3ubuntu2"
},
{
"binary_name": "python3-pandas",
"binary_version": "0.17.1-3ubuntu2"
},
{
"binary_name": "python3-pandas-lib",
"binary_version": "0.17.1-3ubuntu2"
}
]
}{
"binaries": [
{
"binary_name": "python-pandas",
"binary_version": "0.22.0-4ubuntu1"
},
{
"binary_name": "python-pandas-lib",
"binary_version": "0.22.0-4ubuntu1"
},
{
"binary_name": "python3-pandas",
"binary_version": "0.22.0-4ubuntu1"
},
{
"binary_name": "python3-pandas-lib",
"binary_version": "0.22.0-4ubuntu1"
}
]
}