CVE-2021-46463 — Type Confusion in F5 NJS

CWE-843 — Type Confusion4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 35.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx F5 NJS

Timeline

PublishedFeb 14

Latest updateFeb 15

Description

njs through 0.7.1, used in NGINX, was discovered to contain a control flow hijack caused by a Type Confusion vulnerability in njs_promise_perform_then().

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Alpinef5/nginx< 1.20.2-r2+7

▶NVDf5/njs0.7.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rcr4-6fgm-fjc6: njs through 0↗2022-02-15

▶

CVEList

CVE-2021-46463: njs through 0↗2022-02-14

▶

OSV

CVE-2021-46463: njs through 0↗2022-02-14

▶