cvelistv5 - CVE-2023-33546

▼	URL	Tags
	cve@mitre.org	https://github.com/janino-compiler/janino/issues/201	Exploit, Issue Tracking, Third Party Advisory
	cve@mitre.org	https://janino-compiler.github.io/janino/#security

▼	Vendor	Product
	n/a	n/a

wid-sec-w-2024-1769

Vulnerability from csaf_certbund

Published

2024-08-05 22:00

Modified

2024-08-05 22:00

Summary

Hitachi Ops Center: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Hitachi Ops Center ist eine Softwarelösung für Rechenzentren zur Verwaltung, Optimierung, Orchestrierung und zum Schutz von Daten.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Hitachi Ops Center ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Hitachi Ops Center ist eine Softwarel\u00f6sung f\u00fcr Rechenzentren zur Verwaltung, Optimierung, Orchestrierung und zum Schutz von Daten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Hitachi Ops Center ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1769 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1769.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1769 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1769"
      },
      {
        "category": "external",
        "summary": "Hitachi Software Vulnerability Information vom 2024-08-05",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-136/index.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Hitachi Ops Center: Mehrere Schwachstellen erm\u00f6glichen nicht spezifizierten Angriff",
    "tracking": {
      "current_release_date": "2024-08-05T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:11:59.017+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1769",
      "initial_release_date": "2024-08-05T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-08-05T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Analyzer \u003c11.0.1-00",
                "product": {
                  "name": "Hitachi Ops Center Analyzer \u003c11.0.1-00",
                  "product_id": "T036614"
                }
              },
              {
                "category": "product_version_range",
                "name": "Viewpoint \u003c11.0.2-00",
                "product": {
                  "name": "Hitachi Ops Center Viewpoint \u003c11.0.2-00",
                  "product_id": "T036615"
                }
              }
            ],
            "category": "product_name",
            "name": "Ops Center"
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-0482",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-0482"
    },
    {
      "cve": "CVE-2023-24815",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-24815"
    },
    {
      "cve": "CVE-2023-2974",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-2974"
    },
    {
      "cve": "CVE-2023-32081",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-32081"
    },
    {
      "cve": "CVE-2023-33546",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-33546"
    },
    {
      "cve": "CVE-2023-4853",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-4853"
    }
  ]
}

ghsa-gcg6-xv4f-f749

Vulnerability from github

Published

2023-06-01 15:30

Modified

2023-06-09 15:02

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

janino vulnerable to denial of service due to stack overflow

Details

janino 3.1.9 and earlier is subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.janino:janino-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T02:03:28Z",
    "nvd_published_at": "2023-06-01T13:15:10Z",
    "severity": "MODERATE"
  },
  "details": "janino 3.1.9 and earlier is subject to denial of service (DOS) attacks when using the expression `evaluator.guess` parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.",
  "id": "GHSA-gcg6-xv4f-f749",
  "modified": "2023-06-09T15:02:18Z",
  "published": "2023-06-01T15:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33546"
    },
    {
      "type": "WEB",
      "url": "https://github.com/janino-compiler/janino/issues/201"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/janino-compiler/janino"
    },
    {
      "type": "WEB",
      "url": "https://janino-compiler.github.io/janino/#security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "janino vulnerable to denial of service due to stack overflow"
}

gsd-2023-33546

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

** DISPUTED ** Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.

Aliases

CVE-2023-33546

Aliases

CVE-2023-33546

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-33546",
    "id": "GSD-2023-33546"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-33546"
      ],
      "details": "** DISPUTED ** Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.",
      "id": "GSD-2023-33546",
      "modified": "2023-12-13T01:20:37.309501Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-33546",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** DISPUTED ** Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/janino-compiler/janino/issues/201",
            "refsource": "MISC",
            "url": "https://github.com/janino-compiler/janino/issues/201"
          },
          {
            "name": "https://janino-compiler.github.io/janino/#security",
            "refsource": "MISC",
            "url": "https://janino-compiler.github.io/janino/#security"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,3.1.9]",
          "affected_versions": "All versions up to 3.1.9",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-787",
            "CWE-937"
          ],
          "date": "2023-06-09",
          "description": "janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.",
          "fixed_versions": [],
          "identifier": "CVE-2023-33546",
          "identifiers": [
            "GHSA-gcg6-xv4f-f749",
            "CVE-2023-33546"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.codehaus.janino/janino-parent",
          "pubdate": "2023-06-01",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Out-of-bounds Write",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-33546",
            "https://github.com/janino-compiler/janino/issues/201",
            "https://github.com/advisories/GHSA-gcg6-xv4f-f749"
          ],
          "uuid": "1f978e56-9bbe-410c-9c92-fa30e7a5e169"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:janino_project:janino:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E70F1ECA-3C8D-43A0-AF1D-602935F0C7D6",
                    "versionEndIncluding": "3.1.9",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input."
          }
        ],
        "id": "CVE-2023-33546",
        "lastModified": "2024-04-11T01:20:24.653",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-06-01T13:15:10.743",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Issue Tracking",
              "Third Party Advisory"
            ],
            "url": "https://github.com/janino-compiler/janino/issues/201"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://janino-compiler.github.io/janino/#security"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-787"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Action not permitted

CVE-2023-33546

Vulnerability from cvelistv5

wid-sec-w-2024-1769

Vulnerability from csaf_certbund

ghsa-gcg6-xv4f-f749

Vulnerability from github

gsd-2023-33546

Vulnerability from gsd

Tags