| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.5 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in Facebook Hermes. Affected by this vulnerability is an unknown functionality of the component Javascript Object Handler. The manipulation leads to type confusion. This vulnerability is documented as CVE-2020-1911. The attack can be initiated remotely. There is not any exploit available. It is suggested to install a patch to address this issue.
Details
A vulnerability was found in Facebook Hermes (Social Network Software) (affected version unknown). It has been rated as critical. This issue affects an unknown functionality of the component Javascript Object Handler. The manipulation with an unknown input leads to a type confusion vulnerability. Using CWE to declare the problem leads to CWE-843. The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
The weakness was released 09/04/2020 (GitHub Repository). The advisory is shared at github.com. The identification of this vulnerability is CVE-2020-1911 since 12/02/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available.
Applying the patch fe52854cdf6725c2eaa9e125995da76e6ceb27da is able to eliminate this problem.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
License
Website
- Product: https://github.com/facebook/hermes/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.1
VulDB Base Score: 7.3
VulDB Temp Score: 6.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Type confusionCWE: CWE-843
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: fe52854cdf6725c2eaa9e125995da76e6ceb27da
Timeline
12/02/2019 🔍09/04/2020 🔍
09/04/2020 🔍
11/12/2020 🔍
Sources
Product: github.comAdvisory: github.com
Status: Not defined
Confirmation: 🔍
CVE: CVE-2020-1911 (🔍)
GCVE (CVE): GCVE-0-2020-1911
GCVE (VulDB): GCVE-100-160721
Entry
Created: 09/04/2020 13:31Updated: 11/12/2020 17:27
Changes: 09/04/2020 13:31 (39), 09/04/2020 13:36 (18), 11/11/2020 08:15 (1), 11/12/2020 17:27 (1)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.