CVE-2022-21144

Опубликовано: 01 мая 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument's toString value is not a Function object V8 will crash.

Ссылки

https://github.com/libxmljs/libxmljs/commit/2501807bde9b38cfaed06d1e140487516d91379d
Patch
Third Party Advisory
https://github.com/libxmljs/libxmljs/pull/594
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LIBXMLJS-2348756
Exploit
Third Party Advisory
https://github.com/libxmljs/libxmljs/commit/2501807bde9b38cfaed06d1e140487516d91379d
Patch
Third Party Advisory
https://github.com/libxmljs/libxmljs/pull/594
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LIBXMLJS-2348756
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:libxmljs_project:libxmljs:*:*:*:*:*:node.js:*:*

Версия до 0.19.8 (исключая)

EPSS

Процентиль: 40%

0.00182

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-20

Связанные уязвимости

GHSA-773h-w45w-f2f9