CVE-2019-5786

MEDIUM6.5⚠ KEVEPSS 89.9%

Use-After-Free in puppeteer

發布日:2020/9/2修改日:2023/11/8加入 CISA KEV 日:2022/5/23

也稱為:GHSA-c2gp-86p4-5935DEBIAN-CVE-2019-5786

描述

Versions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution. ## Recommendation Upgrade to version 1.13.0 or later.

受影響套件(3)

Debian/chromiumfrom 0, < 72.0.3626.121-1
Debian/chromiumfrom 0, < 72.0.3626.122-1~deb9u1
npm/puppeteerfrom 0, < 1.13.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

參考連結(9)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-5786
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-5786
PATCHhttps://github.com/GoogleChrome/puppeteer
WEBhttps://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation
WEBhttps://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
WEBhttps://crbug.com/936448
WEBhttps://github.com/GoogleChrome/puppeteer/issues/4141
WEBhttps://snyk.io/vuln/SNYK-JS-PUPPETEER-174321
WEBhttps://www.npmjs.com/advisories/824