Lucene search

[email protected]NVD:CVE-2021-24045

HistoryDec 13, 2021 - 9:15 p.m.

CVE-2021-24045

2021-12-1321:15:08

CWE-843

[email protected]

web.nvd.nist.gov

type confusion

facebook hermes

v0.10.0

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

65.1%

JSON

A type confusion vulnerability could be triggered when resolving the “typeof” unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Affected configurations

Nvd

Node

facebookhermesRange<0.10.0

VendorProductVersionCPE
facebookhermes*cpe:2.3:a:facebook:hermes:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
facebook	hermes	*	cpe:2.3:a:facebook:hermes::::::::

References

github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2

www.facebook.com/security/advisories/cve-2021-24045

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

65.1%

JSON

Related for NVD:CVE-2021-24045

prion1 osv1 cve1 cvelist1