Sign-up

ID

VAR-202008-0764


CVE

CVE-2020-24349


TITLE

njs Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009473

DESCRIPTION

njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface. njs There is an input verification vulnerability in.Information may be tampered with. NGINX is a lightweight web server/reverse proxy server and e-mail (IMAP/POP3) proxy server of the American NGINX company. njs is one of the scripting language components that supports extending NGINX functionality. There is a security vulnerability in the njs_value_property of the njs_value.c file in njs 0.4.3 and earlier versions (used in NGINX). An attacker could exploit this vulnerability to hijack control flow

Trust: 1.71

sources: NVD: CVE-2020-24349 // JVNDB: JVNDB-2020-009473 // VULHUB: VHN-178218

AFFECTED PRODUCTS

vendor:f5model:njsscope:lteversion:0.4.3

Trust: 1.0

vendor:igor sysoevmodel:njsscope:eqversion:0.4.3

Trust: 0.8

sources: JVNDB: JVNDB-2020-009473 // NVD: CVE-2020-24349

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-24349
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-009473
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202008-762
value: MEDIUM

Trust: 0.6

VULHUB: VHN-178218
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-24349
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-009473
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-178218
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-24349
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-009473
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-178218 // JVNDB: JVNDB-2020-009473 // CNNVD: CNNVD-202008-762 // NVD: CVE-2020-24349

PROBLEMTYPE DATA

problemtype:CWE-416

Trust: 1.1

problemtype:CWE-20

Trust: 0.9

sources: VULHUB: VHN-178218 // JVNDB: JVNDB-2020-009473 // NVD: CVE-2020-24349

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202008-762

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202008-762

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-009473

PATCH
title:Control flow hijack in njs_value_property #324url:https://github.com/nginx/njs/issues/324
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-009473

EXTERNAL IDS
db:NVDid:CVE-2020-24349
Trust: 2.5
db:JVNDBid:JVNDB-2020-009473
Trust: 0.8
db:CNNVDid:CNNVD-202008-762
Trust: 0.7
db:VULHUBid:VHN-178218
Trust: 0.1
sources:
            
            
            VULHUB: VHN-178218 // 
            
            
            
            JVNDB: JVNDB-2020-009473 // 
            
            
            
            CNNVD: CNNVD-202008-762 // 
            
            
            
            NVD: CVE-2020-24349

REFERENCES
url:https://security.netapp.com/advisory/ntap-20200918-0001/
Trust: 1.7
url:https://cwe.mitre.org/data/definitions/416.html
Trust: 1.7
url:https://github.com/nginx/njs/issues/324
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-24349
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-24349
Trust: 0.8
sources:
            
            
            VULHUB: VHN-178218 // 
            
            
            
            JVNDB: JVNDB-2020-009473 // 
            
            
            
            CNNVD: CNNVD-202008-762 // 
            
            
            
            NVD: CVE-2020-24349

SOURCES
db:VULHUBid:VHN-178218
db:JVNDBid:JVNDB-2020-009473
db:CNNVDid:CNNVD-202008-762
db:NVDid:CVE-2020-24349

LAST UPDATE DATE
2024-11-23T22:29:29.956000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-178218date:2022-10-05T00:00:00
db:JVNDBid:JVNDB-2020-009473date:2020-11-09T07:13:45
db:CNNVDid:CNNVD-202008-762date:2022-07-14T00:00:00
db:NVDid:CVE-2020-24349date:2024-11-21T05:14:38.750

SOURCES RELEASE DATE
db:VULHUBid:VHN-178218date:2020-08-13T00:00:00
db:JVNDBid:JVNDB-2020-009473date:2020-11-09T07:13:45
db:CNNVDid:CNNVD-202008-762date:2020-08-13T00:00:00
db:NVDid:CVE-2020-24349date:2020-08-13T19:15:14.050