CVE-2023-24832

EPSS 0.18%
Veröffentlicht 18.05.2023 22:15:09
Zuletzt bearbeitet 21.01.2025 21:15:09
Quelle cve-assign@fb.com
Teams Watchlist Login
Unerledigt Login

A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attacker to crash an Hermes runtime where the EnableHermesInternal config option was set to true. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Facebook ≫ Hermes Version < 2023-01-31

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.403

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708

Patch

https://www.facebook.com/security/advisories/cve-2023-24832

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-24832

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-24832

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-24832

EUVD