CVE-2020-24349 — Use After Free in F5 NJS

CWE-416 — Use After Free CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 82.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 NJS

Timeline

PublishedAug 13

Latest updateMay 24

Description

njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDf5/njs0.4.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-gv5c-89fp-pfpj: njs through 0↗2022-05-24

▶

CVEList

CVE-2020-24349: njs through 0↗2020-08-13

▶