Thursday, December 12, 2024

New R programming vulnerability exposes projects to supply chain attacks:

 

https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html

How about citing the following R risk issue before R.4.3.1. 

 

New R programming vulnerability exposes projects to supply chain attacks: 

https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html

A critical security vulnerability, CVE-2024-27322, has been identified in R versions 1.4.0 through 4.3.1. This flaw allows attackers to execute arbitrary code by exploiting the deserialization process of untrusted data, particularly through maliciously crafted RDS (R Data Serialization) files or R packages. The issue stems from R's handling of promise objects and lazy evaluation, enabling an attacker to embed arbitrary R code within an RDS file that executes upon loading and accessing the associated object. This vulnerability poses significant risks in environments where R packages are shared, potentially leading to widespread supply chain attacks. 

 

This issue was fixed in R4.4.0.

No comments:

Post a Comment