CRITICAL🇵🇱 Wersja polska

CVE-2023-50044

CVSS 9.8v3.1pub. 2023-12-20upd. 2024-11-21

Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.

🤖 AI Analysis
How it works

The vulnerability is triggered when a built-in API name appears as a substring in the processed input string. In such a situation, the getprop_builtin_foreign function performs an out-of-bounds read. Lack of validation of length or boundaries of the processed string leads to uncontrolled memory access.

Impact

An attacker can cause disclosure of sensitive data from process memory, compromise integrity or availability of the application — in the worst case leading to its crash or enabling further exploitation activities.

Mitigation & patch

Patches available from the vendor should be applied according to references (fix available in the project repository on GitHub as pull request #255). Update to a version containing the implemented fix is recommended.

Who is affected

Cesanta MJS version 2.20.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cesanta Mjs

    APP
    Cesanta
    2.22.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2023-43338CRITICAL9.8ten sam produkt

Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_...

CVE-2024-35386HIGH7.5ten sam produkt

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc functio...

CVE-2023-49551HIGH7.5ten sam produkt

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse...

CVE-2023-49549HIGH7.5ten sam produkt

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos ...

CVE-2023-49550HIGH7.5ten sam produkt

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 comp...