CVE-2020-1913

Опубликовано: 09 сент. 2020

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Ссылки

https://github.com/facebook/hermes/commit/2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6
Patch
Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1913
Vendor Advisory
https://github.com/facebook/hermes/commit/2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6
Patch
Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1913
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:facebook:hermes:*:*:*:*:*:*:*:*

Версия до 0.4.3 (включая)

EPSS

Процентиль: 42%

0.002

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-195

CWE-681

Связанные уязвимости

GHSA-gmpm-xp43-f7g6