Lucene search

[email protected]NVD:CVE-2023-33546

HistoryJun 01, 2023 - 1:15 p.m.

CVE-2023-33546

2023-06-0113:15:10

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-33546

denial of service

parser crash

stack overflow

disputed

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

19.2%

JSON

Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.

Affected configurations

Nvd

Node

janino_projectjaninoRange≤3.1.9

VendorProductVersionCPE
janino_projectjanino*cpe:2.3:a:janino_project:janino:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
janino_project	janino	*	cpe:2.3:a:janino_project:janino::::::::

References

github.com/janino-compiler/janino/issues/201

janino-compiler.github.io/janino/#security

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

19.2%

JSON

Related for NVD:CVE-2023-33546

veracode1 github1 ubuntucve1 redhatcve1 nessus2 vulnrichment1 cvelist1 debiancve1 prion1 osv1 openvas1 cve1 ibm1