Lucene search

GitHub Advisory DatabaseGHSA-4CXW-HQ44-R344

HistoryFeb 24, 2022 - 12:00 a.m.

Off-by-one Error in v2fly/v2ray-core

2022-02-2400:00:52

CWE-193

GitHub Advisory Database

github.com

v2fly

v2ray-core

off-by-one error

vulnerability

software

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.002

Percentile

56.6%

JSON

v2fly/v2ray-core prior to 4.44.0 is vulnerable to an off-by-one error. Indexing operations on arrays, slices, or strings should use an index at most one less than the length. If the index is checked for being less than or equal to the length (<=), instead of less than the length (<), the index could be out of bounds.

Affected configurations

Vulners

Node

github.com\/v2fly\/v2raycoreRange<4.44.0

github.com\/v2fly\/v2raycore\/v4Range<4.44.0

References

github.com/advisories/GHSA-4cxw-hq44-r344

github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c

huntr.dev/bounties/8da19456-4d89-41ef-9781-a41efd6a1877

nvd.nist.gov/vuln/detail/CVE-2021-4070

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.002

Percentile

56.6%

JSON

Related for GHSA-4CXW-HQ44-R344