Sign-up

ID

VAR-202008-0763


CVE

CVE-2020-24348


TITLE

njs Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009471

DESCRIPTION

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c. njs Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. NGINX is a lightweight web server/reverse proxy server and e-mail (IMAP/POP3) proxy server of the American NGINX company. njs is one of the scripting language components that supports extending NGINX functionality. The njs_json_stringify_iterator of the njs_json.c file in njs 0.4.3 and earlier versions (used in NGINX) has a buffer error vulnerability. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

Trust: 1.71

sources: NVD: CVE-2020-24348 // JVNDB: JVNDB-2020-009471 // VULHUB: VHN-178217

AFFECTED PRODUCTS

vendor:f5model:njsscope:lteversion:0.4.3

Trust: 1.0

vendor:igor sysoevmodel:njsscope:eqversion:0.4.3

Trust: 0.8

sources: JVNDB: JVNDB-2020-009471 // NVD: CVE-2020-24348

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-24348
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-009471
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202008-761
value: MEDIUM

Trust: 0.6

VULHUB: VHN-178217
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-24348
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-009471
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-178217
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-24348
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-009471
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-178217 // JVNDB: JVNDB-2020-009471 // CNNVD: CNNVD-202008-761 // NVD: CVE-2020-24348

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.9

sources: VULHUB: VHN-178217 // JVNDB: JVNDB-2020-009471 // NVD: CVE-2020-24348

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202008-761

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202008-761

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-009471

PATCH
title:Segfault in njs_json_stringify_iterator #322url:https://github.com/nginx/njs/issues/322
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-009471

EXTERNAL IDS
db:NVDid:CVE-2020-24348
Trust: 2.5
db:JVNDBid:JVNDB-2020-009471
Trust: 0.8
db:CNNVDid:CNNVD-202008-761
Trust: 0.7
db:VULHUBid:VHN-178217
Trust: 0.1
sources:
            
            
            VULHUB: VHN-178217 // 
            
            
            
            JVNDB: JVNDB-2020-009471 // 
            
            
            
            CNNVD: CNNVD-202008-761 // 
            
            
            
            NVD: CVE-2020-24348

REFERENCES
url:https://security.netapp.com/advisory/ntap-20200918-0001/
Trust: 1.7
url:https://github.com/nginx/njs/issues/322
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-24348
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-24348
Trust: 0.8
sources:
            
            
            VULHUB: VHN-178217 // 
            
            
            
            JVNDB: JVNDB-2020-009471 // 
            
            
            
            CNNVD: CNNVD-202008-761 // 
            
            
            
            NVD: CVE-2020-24348

SOURCES
db:VULHUBid:VHN-178217
db:JVNDBid:JVNDB-2020-009471
db:CNNVDid:CNNVD-202008-761
db:NVDid:CVE-2020-24348

LAST UPDATE DATE
2024-11-23T22:40:58.698000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-178217date:2022-04-15T00:00:00
db:JVNDBid:JVNDB-2020-009471date:2020-11-09T07:13:42
db:CNNVDid:CNNVD-202008-761date:2020-09-21T00:00:00
db:NVDid:CVE-2020-24348date:2024-11-21T05:14:38.600

SOURCES RELEASE DATE
db:VULHUBid:VHN-178217date:2020-08-13T00:00:00
db:JVNDBid:JVNDB-2020-009471date:2020-11-09T07:13:42
db:CNNVDid:CNNVD-202008-761date:2020-08-13T00:00:00
db:NVDid:CVE-2020-24348date:2020-08-13T19:15:14.003