https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html
How about citing the following R risk issue before R.4.3.1.
New R programming vulnerability exposes projects to supply chain attacks:
https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html
A critical security vulnerability, CVE-2024-27322, has been identified in R versions 1.4.0 through 4.3.1. This flaw allows attackers to execute arbitrary code by exploiting the deserialization process of untrusted data, particularly through maliciously crafted RDS (R Data Serialization) files or R packages. The issue stems from R's handling of promise objects and lazy evaluation, enabling an attacker to embed arbitrary R code within an RDS file that executes upon loading and accessing the associated object. This vulnerability poses significant risks in environments where R packages are shared, potentially leading to widespread supply chain attacks.
This issue was fixed in R4.4.0.
No comments:
Post a Comment