Lucene search

GoogleOSV:CVE-2022-35289

HistoryOct 11, 2022 - 2:15 a.m.

CVE-2022-35289

2022-10-1102:15:08

Google

osv.dev

cve-2022-35289

integer overflow

hermes

arbitrary code execution

javascript

react native

security issue

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.9%

JSON

A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

CPENameOperatorVersion
hermeseq0.2.1
hermeseq0.5.0
hermeseq0.10.0
hermeseq0.11.0
hermeseq0.1.1
hermeseq0.1.0
hermeseq0.4.0
hermeseq0.7.0
hermeseqhermes-2022-07-15-RNv0.70.0-88dd5731a19ab6b38b0a0a2d4386ba959f2a2c98
hermeseq0.3.0

Name	Operator	Version
hermes	eq	0.2.1
hermes	eq	0.5.0
hermes	eq	0.10.0
hermes	eq	0.11.0
hermes	eq	0.1.1
hermes	eq	0.1.0
hermes	eq	0.4.0
hermes	eq	0.7.0
hermes	eq	hermes-2022-07-15-RNv0.70.0-88dd5731a19ab6b38b0a0a2d4386ba959f2a2c98
hermes	eq	0.3.0

Rows per page:

1-10 of 141

References

github.com/facebook/hermes/commit/5b6255ae049fa4641791e47fad994e8e8c4da374

www.facebook.com/security/advisories/CVE-2022-35289

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.9%

JSON

Related for OSV:CVE-2022-35289