CVE-2020-24349

njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
f5njs
𝑥
≤ 0.4.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cwe.mitre.org/data/definitions/416.html
https://github.com/nginx/njs/issues/324
https://security.netapp.com/advisory/ntap-20200918-0001/
https://cwe.mitre.org/data/definitions/416.html
https://github.com/nginx/njs/issues/324
https://security.netapp.com/advisory/ntap-20200918-0001/