CVE-2024-43357

{"id": "CVE-2024-43357", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2024-08-15T19:15:20.107", "references": [{"url": "https://bugs.webkit.org/show_bug.cgi?id=275407", "source": "security-advisories@github.com"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1901411", "source": "security-advisories@github.com"}, {"url": "https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq", "source": "security-advisories@github.com"}, {"url": "https://github.com/tc39/ecma262/commit/1e24a286d0a327d08e1154926b3ee79820232727", "source": "security-advisories@github.com"}, {"url": "https://github.com/tc39/ecma262/commit/4cb5a6980e20be76c648f113c4cc762342172df3", "source": "security-advisories@github.com"}, {"url": "https://github.com/tc39/ecma262/pull/2413", "source": "security-advisories@github.com"}, {"url": "https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r", "source": "security-advisories@github.com"}, {"url": "https://issues.chromium.org/issues/346692561", "source": "security-advisories@github.com"}, {"url": "https://tc39.es/ecma262/#sec-asyncgenerator-objects", "source": "security-advisories@github.com"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-7652", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "ECMA-262 is the language specification for the scripting language ECMAScript. A problem in the ECMAScript (JavaScript) specification of async generators, introduced by a May 2021 spec refactor, may lead to mis-implementation in a way that could present as a security vulnerability, such as type confusion and pointer dereference.\n\nThe internal async generator machinery calls regular promise resolver functions on IteratorResult (`{ done, value }`) objects that it creates, assuming that the IteratorResult objects will not be then-ables. Unfortunately, these IteratorResult objects inherit from `Object.prototype`, so these IteratorResult objects can be made then-able, triggering arbitrary behaviour, including re-entering the async generator machinery in a way that violates some internal invariants.\n\nThe ECMAScript specification is a living standard and the issue has been addressed at the time of this advisory's public disclosure. JavaScript engine implementors should refer to the latest specification and update their implementations to comply with the `AsyncGenerator` section.\n\n## References\n\n- https://github.com/tc39/ecma262/commit/1e24a286d0a327d08e1154926b3ee79820232727\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1901411\n- https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq\n- https://bugs.webkit.org/show_bug.cgi?id=275407\n- https://issues.chromium.org/issues/346692561\n- https://www.cve.org/CVERecord?id=CVE-2024-7652"}, {"lang": "es", "value": "ECMA-262 es la especificaci\u00f3n del lenguaje para el lenguaje de scripting ECMAScript. Un problema en la especificaci\u00f3n ECMAScript (JavaScript) de los generadores as\u00edncronos, introducido por una refactorizaci\u00f3n de especificaciones de mayo de 2021, puede provocar una implementaci\u00f3n incorrecta de una manera que podr\u00eda presentarse como una vulnerabilidad de seguridad, como confusi\u00f3n de tipos y desreferencia de puntero. La maquinaria interna del generador as\u00edncrono llama a funciones regulares de resoluci\u00f3n de promesas en los objetos IteratorResult (`{ done, value }`) que crea, asumiendo que los objetos IteratorResult no ser\u00e1n habilitables en ese momento. Desafortunadamente, estos objetos IteratorResult heredan de `Object.prototype`, por lo que estos objetos IteratorResult pueden volverse compatibles, lo que desencadena un comportamiento arbitrario, incluido el reingreso a la maquinaria del generador as\u00edncrono de una manera que viola algunas invariantes internas. La especificaci\u00f3n ECMAScript es un est\u00e1ndar de vida y el problema se ha abordado en el momento de la divulgaci\u00f3n p\u00fablica de este aviso. Los implementadores del motor JavaScript deben consultar la especificaci\u00f3n m\u00e1s reciente y actualizar sus implementaciones para cumplir con la secci\u00f3n \"AsyncGenerator\". ## Referencias: https://github.com/tc39/ecma262/commit/1e24a286d0a327d08e1154926b3ee79820232727 - https://bugzilla.mozilla.org/show_bug.cgi?id=1901411 - https://github.com/boa-dev/ boa/security/advisories/GHSA-f67q-wr6w-23jq - https://bugs.webkit.org/show_bug.cgi?id=275407 - https://issues.chromium.org/issues/346692561 - https:// www.cve.org/CVERecord?id=CVE-2024-7652"}], "lastModified": "2024-08-19T13:00:23.117", "sourceIdentifier": "security-advisories@github.com"}