CVE-2023-24832

EPSS 0.18%
Published 18.05.2023 22:15:09
Last modified 21.01.2025 21:15:09
Source cve-assign@fb.com
Teams watchlist Login
Open Login

A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attacker to crash an Hermes runtime where the EnableHermesInternal config option was set to true. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Hermes Version < 2023-01-31

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.18%	0.403

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708

Patch

https://www.facebook.com/security/advisories/cve-2023-24832

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-24832

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-24832

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-24832

EUVD