9.8

CVE-2021-31875

Exploit

EPSS 0.55%
Veröffentlicht 29.04.2021 02:15:08
Zuletzt bearbeitet 21.11.2024 06:06:24
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow. NOTE: the original reporter disputes the significance of this finding because "there isn’t very much of an opportunity to exploit this reliably for an information leak, so there isn’t any real security impact."

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cesanta ≫ Mongooseos Mjs Version1.26

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.55%	0.671

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-193 Off-by-one Error

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/418sec/mjs/pull/2

Patch

Third Party Advisory

https://github.com/cesanta/mjs/releases/tag/1.26

Third Party Advisory

Release Notes

https://huntr.dev/bounties/1-other-mjs/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-31875

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-31875

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-31875

EUVD