Vulnerability Details CVE-2024-21524
All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer, ToString, or CharAt on a StringBuilder object with a non-empty string value input. It's possible to return previously allocated memory, for example, by providing negative indexes, leading to an Information Disclosure.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.7%
CVSS Severity
CVSS v3 Score 8.2
References
- https://gist.github.com/dellalibera/0bb022811224f81d998fa61c3175ee67
- https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c%23L1281
- https://security.snyk.io/vuln/SNYK-JS-NODESTRINGBUILDER-6421617
- https://gist.github.com/dellalibera/0bb022811224f81d998fa61c3175ee67
- https://github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c%23L1281
- https://security.snyk.io/vuln/SNYK-JS-NODESTRINGBUILDER-6421617
Products affected by CVE-2024-21524
-
cpe:2.3:a:magiclen:stringbuilder:-
-
cpe:2.3:a:magiclen:stringbuilder:1.0.0
-
cpe:2.3:a:magiclen:stringbuilder:1.1.0
-
cpe:2.3:a:magiclen:stringbuilder:1.3.0
-
cpe:2.3:a:magiclen:stringbuilder:2.0.0
-
cpe:2.3:a:magiclen:stringbuilder:2.0.1
-
cpe:2.3:a:magiclen:stringbuilder:2.0.2
-
cpe:2.3:a:magiclen:stringbuilder:2.1.0
-
cpe:2.3:a:magiclen:stringbuilder:2.1.1
-
cpe:2.3:a:magiclen:stringbuilder:2.2.0
-
cpe:2.3:a:magiclen:stringbuilder:2.2.1
-
cpe:2.3:a:magiclen:stringbuilder:2.2.2
-
cpe:2.3:a:magiclen:stringbuilder:2.2.3
-
cpe:2.3:a:magiclen:stringbuilder:2.2.4
-
cpe:2.3:a:magiclen:stringbuilder:2.2.5
-
cpe:2.3:a:magiclen:stringbuilder:2.2.6
-
cpe:2.3:a:magiclen:stringbuilder:2.2.7