CVE-2022-1286 — Heap-based Buffer Overflow in Mruby

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write CWE-1286 — Improper Validation of Syntactic Correctness of Input CWE-20 — Improper Input Validation9 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 30.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mruby Mruby Mruby Debian Mruby +25 more

Timeline

PublishedApr 10

Latest updateOct 18

Description

heap-buffer-overflow in mrb_vm_exec in mruby/mruby in GitHub repository mruby/mruby prior to 3.2. Possible arbitrary code execution if being exploited.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages29 packages

▶NVDmruby/mruby< 3.2

▶debiandebian/mruby< mruby 3.0.0-4 (bookworm)

▶CVEListV5mruby/mruby_mrubyunspecified — 3.2

▶Debianmruby/mruby< 3.0.0-4+2

▶juniperjuniper/junos_os

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-6c7w-5xfj-j2mc: heap-buffer-overflow in mrb_vm_exec in mruby/mruby in GitHub repository mruby/mruby prior to 3↗2022-04-11

▶

OSV

CVE-2022-1286: heap-buffer-overflow in mrb_vm_exec in mruby/mruby in GitHub repository mruby/mruby prior to 3↗2022-04-10

▶

📋Vendor Advisories

Juniper

CVE-2022-22192: An Improper Validation of Syntactic Correctness of Input vulnerability in the kernel of Juniper Networks Junos OS Evolved on PTX series allows a netwo↗2022-10-18

▶

Red Hat

protobuf: message parsing vulnerability in ProtocolBuffers↗2022-09-22

▶

Microsoft

Out of Memory issue in ProtocolBuffers for cpp and python↗2022-09-13

▶

Red Hat

curl: Incorrect handling of control code characters in cookies↗2022-08-31

▶

Juniper

CVE-2022-22176: An Improper Validation of Syntactic Correctness of Input vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adja↗2022-01-19

▶