CVE-2024-21524

July 10, 2024, 5:15 a.m.

8.2
High

Description

All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer, ToString, or CharAt on a StringBuilder object with a non-empty string value input. It's possible to return previously allocated memory, for example, by providing negative indexes, leading to an Information Disclosure.

Product(s) Impacted

Product Versions
node-stringbuilder

Weaknesses

CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

References

https://gist.github.com/dellalibera/0bb022811224f81d998fa61c3175ee67
https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c%23L1281
https://security.snyk.io/vuln/SNYK-JS-NODESTRINGBUILDER-6421617

Tags

CWE-125
report@snyk.io
2024-07-10
CVE-2024-21524

CVSS Score

8.2 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Date

  • Published: July 10, 2024, 5:15 a.m.
  • Last Modified: July 10, 2024, 5:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

report@snyk.io

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.