CVE-2024-21502
Uninitialized Variable in fastecdsa
7.5
HIGH
CVSS 3.1
EPSS 0.15%
描述
Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
如何修補 CVE-2024-21502
要修補 CVE-2024-21502,請將受影響套件升級到下列已修補版本。
- —升級至 2.3.2 或更新版本
- —升級至 57fc5689c95d649dab7ef60cc99ac64589f01e36 或更新版本
CVE-2024-21502 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 2.3.2
- from 0, < 57fc5689c95d649dab7ef60cc99ac64589f01e36 | from 0, < 2.3.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |