CVE-2024-36120 - Vulnerability Details - OpenCVE

javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Ben-sb	Javascript Deobfuscator

No data.

No data.

References

Link	Providers
https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6
https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-31T16:29:14.773Z

Updated: 2024-08-02T03:30:12.973Z

Reserved: 2024-05-20T21:07:48.189Z

Link: CVE-2024-36120

Vulnrichment

Updated: 2024-05-31T18:49:24.276Z

NVD

Status : Awaiting Analysis

Published: 2024-05-31T17:15:09.317

Modified: 2024-11-21T09:21:39.810

Link: CVE-2024-36120

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36120", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.189Z", "datePublished": "2024-05-31T16:29:14.773Z", "dateUpdated": "2024-08-02T03:30:12.973Z"}, "containers": {"cna": {"title": "javascript-deobfuscator crafted payload can lead to code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"name": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}], "affected": [{"vendor": "ben-sb", "product": "javascript-deobfuscator", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-31T16:44:17.180Z"}, "descriptions": [{"lang": "en", "value": "javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature."}], "source": {"advisory": "GHSA-9p6p-8v9r-8c9m", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-31T18:29:44.579398Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ben-sb:javascript_deobfuscator:*:*:*:*:*:*:*:*"], "vendor": "ben-sb", "product": "javascript_deobfuscator", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:47:46.023Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.973Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"name": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36120", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.189Z", "datePublished": "2024-05-31T16:29:14.773Z", "dateUpdated": "2024-06-04T17:47:46.023Z"}, "containers": {"cna": {"title": "javascript-deobfuscator crafted payload can lead to code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"name": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}], "affected": [{"vendor": "ben-sb", "product": "javascript-deobfuscator", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-31T16:44:17.180Z"}, "descriptions": [{"lang": "en", "value": "javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature."}], "source": {"advisory": "GHSA-9p6p-8v9r-8c9m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-31T18:29:44.579398Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ben-sb:javascript_deobfuscator:*:*:*:*:*:*:*:*"], "vendor": "ben-sb", "product": "javascript_deobfuscator", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-31T18:49:24.276Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature."}, {"lang": "es", "value": "javascript-deobfuscator elimina t\u00e9cnicas comunes de ofuscaci\u00f3n de JavaScript. En las versiones afectadas, los payloads manipulados destinados a la simplificaci\u00f3n de expresiones pueden conducir a la ejecuci\u00f3n de c\u00f3digo. Este problema se solucion\u00f3 en la versi\u00f3n 1.1.0. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben desactivar la funci\u00f3n de simplificaci\u00f3n de expresiones."}], "id": "CVE-2024-36120", "lastModified": "2024-11-21T09:21:39.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-31T17:15:09.317", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}, {"source": "security-advisories@github.com", "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}