njs up to 0.4.3 njs_lvlhsh.c njs_lvlhsh_level_find out-of-bounds

Summaryinfo

A vulnerability marked as critical has been reported in njs up to 0.4.3. Affected by this issue is the function njs_lvlhsh_level_find of the file njs_lvlhsh.c. This manipulation causes out-of-bounds. The identification of this vulnerability is CVE-2020-24347. The attack can only be executed locally. There is no exploit available.

Detailsinfo

A vulnerability was found in njs up to 0.4.3. It has been declared as critical. Affected by this vulnerability is the function njs_lvlhsh_level_find of the file njs_lvlhsh.c. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c.

The weakness was shared 08/13/2020. This vulnerability is known as CVE-2020-24347 since 08/13/2020. Attacking locally is a requirement. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries VDB-159921, VDB-159920 and VDB-159918 are related to this item. Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Nginx

Productinfo

Name

• njs

Version

• 0.4.0
• 0.4.1
• 0.4.2
• 0.4.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion