CVE-2023-33546 — janino vulnerable to denial of service due to stack overflow

Description

janino 3.1.9 and earlier is subject to denial of service (DOS) attacks when using the expression `evaluator.guess` parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

How to fix CVE-2023-33546

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2023-33546 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, <= 3.1.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33546
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-33546
PATCHgithub.com/janino-compiler/janino
WEBgithub.com/janino-compiler/janino/issues/201
WEB