CVE-2024-21524

Опубликовано: 10 июл. 2024

Источник: nvd

CVSS3: 8.2

CVSS3: 9.1

EPSS Низкий

Описание

All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer, ToString, or CharAt on a StringBuilder object with a non-empty string value input. It's possible to return previously allocated memory, for example, by providing negative indexes, leading to an Information Disclosure.

Ссылки

https://gist.github.com/dellalibera/0bb022811224f81d998fa61c3175ee67
Exploit
Third Party Advisory
https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c%23L1281
Broken Link
https://security.snyk.io/vuln/SNYK-JS-NODESTRINGBUILDER-6421617
Exploit
Third Party Advisory
https://gist.github.com/dellalibera/0bb022811224f81d998fa61c3175ee67
Exploit
Third Party Advisory
https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c%23L1281
Broken Link
https://security.snyk.io/vuln/SNYK-JS-NODESTRINGBUILDER-6421617
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:magiclen:stringbuilder:*:*:*:*:*:node.js:*:*

Версия до 2.2.7 (включая)

EPSS

Процентиль: 43%

0.00211

Низкий

8.2 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-125

Связанные уязвимости

GHSA-g533-xq5w-jmf3

CVSS3: 8.2

github

больше 1 года назад

node-stringbuilder vulnerable to Out-of-bounds Read

EPSS

Процентиль: 43%

0.00211

Низкий

8.2 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-125