CVE-2023-33546

Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/janino-compiler/janino/issues/201	Exploit Issue Tracking Third Party Advisory
https://janino-compiler.github.io/janino/#security
https://github.com/janino-compiler/janino/issues/201	Exploit Issue Tracking Third Party Advisory
https://janino-compiler.github.io/janino/#security

Configurations

Configuration 1 (hide)

cpe:2.3:a:janino_project:janino:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:05

Type	Values Removed	Values Added
References	~~() https://github.com/janino-compiler/janino/issues/201 - Exploit, Issue Tracking, Third Party Advisory~~	() https://github.com/janino-compiler/janino/issues/201 - Exploit, Issue Tracking, Third Party Advisory
References	~~() https://janino-compiler.github.io/janino/#security -~~	() https://janino-compiler.github.io/janino/#security -

07 Nov 2023, 04:14

Type	Values Removed	Values Added
Summary	DISPUTED Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.	Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.

08 Sep 2023, 05:15

Type	Values Removed	Values Added
References		(MISC) https://janino-compiler.github.io/janino/#security -
Summary	janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.	DISPUTED Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.

08 Jun 2023, 18:49

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/janino-compiler/janino/issues/201 -~~	(MISC) https://github.com/janino-compiler/janino/issues/201 - Exploit, Issue Tracking, Third Party Advisory
CPE		cpe:2.3:a:janino_project:janino::::::::
CWE		CWE-787
First Time		Janino Project Janino Project janino
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5

01 Jun 2023, 14:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-01 13:15

Updated : 2024-11-21 08:05

NVD link : CVE-2023-33546

Mitre link : CVE-2023-33546

CVE.ORG link : CVE-2023-33546

JSON object : View

Products Affected

janino_project

janino

CWE

CWE-787

Out-of-bounds Write

5.5 /10