Vulnerability Description
Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. NOTE: this is disputed by multiple parties because Janino is not intended for use with untrusted input.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Janino Project | Janino | <= 3.1.9 |
Related Weaknesses (CWE)
References
- https://github.com/janino-compiler/janino/issues/201ExploitIssue TrackingThird Party Advisory
- https://janino-compiler.github.io/janino/#security
- https://github.com/janino-compiler/janino/issues/201ExploitIssue TrackingThird Party Advisory
- https://janino-compiler.github.io/janino/#security
FAQ
What is CVE-2023-33546?
CVE-2023-33546 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could su...
How severe is CVE-2023-33546?
CVE-2023-33546 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-33546?
Check the references section above for vendor advisories and patch information. Affected products include: Janino Project Janino.