Details of VAR-202008-0762

ID

VAR-202008-0762

CVE

CVE-2020-24347

TITLE

njs Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009470

DESCRIPTION

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c. njs Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. NGINX is a lightweight web server/reverse proxy server and e-mail (IMAP/POP3) proxy server of the American NGINX company. njs is one of the scripting language components that supports extending NGINX functionality. The njs_lvlhsh_level_find of the njs_lvlhsh.c file in njs 0.4.3 and earlier versions (used in NGINX) has a buffer error vulnerability. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

Trust: 1.8

sources: NVD: CVE-2020-24347 // JVNDB: JVNDB-2020-009470 // VULHUB: VHN-178216 // VULMON: CVE-2020-24347

AFFECTED PRODUCTS

vendor:	f5	model:	njs	scope:	lte	version:	0.4.3	Trust: 1.0
vendor:	igor sysoev	model:	njs	scope:	eq	version:	0.4.3	Trust: 0.8

sources: JVNDB: JVNDB-2020-009470 // NVD: CVE-2020-24347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24347
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-009470
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202008-760
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-178216
value:	LOW
Trust: 0.1
VULMON:	CVE-2020-24347
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-24347
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-009470
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-178216
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24347
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-009470
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-178216 // VULMON: CVE-2020-24347 // JVNDB: JVNDB-2020-009470 // CNNVD: CNNVD-202008-760 // NVD: CVE-2020-24347

PROBLEMTYPE DATA

problemtype:

CWE-125

Trust: 1.9

sources: VULHUB: VHN-178216 // JVNDB: JVNDB-2020-009470 // NVD: CVE-2020-24347

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202008-760

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202008-760

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-009470

PATCH

title:	Segfault in njs_lvlhsh_bucket_find #323	url:	https://github.com/nginx/njs/issues/323	Trust: 0.8
title:	CVE-Flow	url:	https://github.com/404notf0und/CVE-Flow	Trust: 0.1

sources: VULMON: CVE-2020-24347 // JVNDB: JVNDB-2020-009470

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24347	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-009470	Trust: 0.8
db:	CNNVD	id:	CNNVD-202008-760	Trust: 0.7
db:	VULHUB	id:	VHN-178216	Trust: 0.1
db:	VULMON	id:	CVE-2020-24347	Trust: 0.1

sources: VULHUB: VHN-178216 // VULMON: CVE-2020-24347 // JVNDB: JVNDB-2020-009470 // CNNVD: CNNVD-202008-760 // NVD: CVE-2020-24347

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20200918-0001/	Trust: 1.8
url:	https://github.com/nginx/njs/issues/323	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24347	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-24347	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/404notf0und/cve-flow	Trust: 0.1

sources: VULHUB: VHN-178216 // VULMON: CVE-2020-24347 // JVNDB: JVNDB-2020-009470 // CNNVD: CNNVD-202008-760 // NVD: CVE-2020-24347

SOURCES

db:	VULHUB	id:	VHN-178216
db:	VULMON	id:	CVE-2020-24347
db:	JVNDB	id:	JVNDB-2020-009470
db:	CNNVD	id:	CNNVD-202008-760
db:	NVD	id:	CVE-2020-24347

LAST UPDATE DATE

2024-11-23T22:05:28.430000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178216	date:	2022-04-15T00:00:00
db:	VULMON	id:	CVE-2020-24347	date:	2020-09-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-009470	date:	2020-11-09T07:13:41
db:	CNNVD	id:	CNNVD-202008-760	date:	2020-09-21T00:00:00
db:	NVD	id:	CVE-2020-24347	date:	2024-11-21T05:14:38.457

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178216	date:	2020-08-13T00:00:00
db:	VULMON	id:	CVE-2020-24347	date:	2020-08-13T00:00:00
db:	JVNDB	id:	JVNDB-2020-009470	date:	2020-11-09T07:13:41
db:	CNNVD	id:	CNNVD-202008-760	date:	2020-08-13T00:00:00
db:	NVD	id:	CVE-2020-24347	date:	2020-08-13T19:15:13.943