CVE-2020-1914

EPSS 0.85%
Published 08.10.2020 19:15:12
Last modified 21.11.2024 05:11:36
Source cve-assign@fb.com
Teams watchlist Login
Open Login

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hermes Version < 2020-10-01

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.85%	0.727

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-670 Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

https://github.com/facebook/hermes/commit/b2021df620824627f5a8c96615edbd1eb7fdddfc

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2020-1914

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-1914

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-1914

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-1914

EUVD