Lucene search

[email protected]CVE-2023-33546

HistoryJun 01, 2023 - 1:15 p.m.

CVE-2023-33546

2023-06-0113:15:10

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-33546

janino

dos

denial of service

nvd

security vulnerability

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.9%

JSON

Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.

Affected configurations

NVD

Node

janino_projectjaninoRange≤3.1.9

CPENameOperatorVersion
janino_project:janinojanino project janinole3.1.9

CPE	Name	Operator	Version
janino_project:janino	janino project janino	le	3.1.9

References

github.com/janino-compiler/janino/issues/201

janino-compiler.github.io/janino/#security

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.9%

JSON

Related for CVE-2023-33546

redhatcve1 nessus2 vulnrichment1 debiancve1 cvelist1 prion1 github1 veracode1 nvd1 osv1 openvas1 ubuntucve1 ibm1