Lucene search

GitHub_MCVELIST:CVE-2024-38375

HistoryJun 26, 2024 - 6:46 p.m.

CVE-2024-38375 @fastly/js-compute use-after-free in some host call implementations

2024-06-2618:46:12

CWE-416

GitHub_M

www.cve.org

cve-2024-38375

fastly

js-compute

use-after-free

bug

data loss

500 error

fixed

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

@fastly/js-compute is a JavaScript SDK and runtime for building Fastly Compute applications. The implementation of several functions were determined to include a use-after-free bug. This bug could allow for unintended data loss if the result of the preceding functions were sent anywhere else, and often results in a guest trap causing services to return a 500. This bug has been fixed in version 3.16.0 of the @fastly/js-compute package.

CNA Affected

[
  {
    "vendor": "fastly",
    "product": "js-compute-runtime",
    "versions": [
      {
        "version": ">= 3.0.0, < 3.16.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3

github.com/fastly/js-compute-runtime/security/advisories/GHSA-mp3g-vpm9-9vqv

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-38375