CVE-2022-4064

LOW

Dalli <3.2.2 - Injection

Title source: llm

Description

A vulnerability was found in Dalli up to 3.2.2. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation of the argument cas/ttl leads to injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.3 is able to address this issue. The patch is identified as 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to upgrade the affected component.

References (7)

[Release Notes] https://github.com/petergoldstein/dalli/releases/tag/v3.2.3

[Third Party Advisory] https://vuldb.com/?id.214026

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.214026

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/petergoldstein/dalli/issues/932

[Patch, Third Party Advisory] https://github.com/petergoldstein/dalli/pull/933

[Patch, Third Party Advisory] https://github.com/petergoldstein/dalli/commit/48d594dae55934476fec61789e7a7c3700e0f50d

View Patch ZIP pw:eip

[Various Sources] https://github.com/advisories/GHSA-3xg8-cc8f-9wv2

Scores

CVSS v3 3.7

EPSS 0.0030

EPSS Percentile 53.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-707

Status published

Products (2)

dalli_project/dalli - - 3.2.3

rubygems/dalli 0 - 3.2.3RubyGems

Published Nov 19, 2022

Tracked Since Feb 18, 2026