Critical R Programming Vulnerability Threatens Sensitive Sectors
April 29, 2024HiddenLayer, a security firm, has identified a high-severity vulnerability, CVE-2024-27322, in the R programming language.
The flaw allows arbitrary code execution by deserializing untrusted data and affects critical sectors like government and healthcare.
Attackers can exploit the vulnerability by crafting malicious RDS files, taking advantage of R's promise objects and lazy evaluation.
The vulnerability has been fixed in R version 4.4.0, released on April 24, 2024, after collaboration between HiddenLayer, R's maintainers, and CISA.
Given R's widespread use and the common practice of sharing packages, it is essential for organizations to update R and educate users on security.
Summary based on 3 sources
Get a daily email with more Tech stories
Sources
PR Newswire • Apr 29, 2024
HiddenLayer Uncovers Deserialization Vulnerability in Open-Source Programming Language, RThe Hacker News • Apr 29, 2024
New R Programming Vulnerability Exposes Projects to Supply Chain AttacksDark Reading • Apr 29, 2024
R Programming Bug Exposes Orgs to Vast Supply Chain Risk