CVE-2024-8948 — HIGH (7.3) — White Hats Nepal

Vulnerability Description

A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpz_as_bytes of the file py/objint.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 908ab1ceca15ee6fd0ef82ca4cba770a3ec41894. It is recommended to apply a patch to fix this issue. In micropython objint component, converting zero from int to bytes leads to heap buffer-overflow-write at mpz_as_bytes.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Micropython	Micropython	1.23.0

Related Weaknesses (CWE)

CWE-122 CWE-787

References

https://github.com/micropython/micropython/commit/908ab1ceca15ee6fd0ef82ca4cba77Patch
https://github.com/micropython/micropython/issues/13041ExploitIssue TrackingThird Party Advisory
https://vuldb.com/?ctiid.277766Permissions Required
https://vuldb.com/?id.277766Third Party Advisory
https://vuldb.com/?submit.409317Third Party Advisory

FAQ

What is CVE-2024-8948?

CVE-2024-8948 is a vulnerability with a CVSS score of 7.3 (HIGH). A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpz_as_bytes of the file py/objint.c. The manipulation leads to heap-based buffer...

How severe is CVE-2024-8948?

CVE-2024-8948 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-8948?

Check the references section above for vendor advisories and patch information. Affected products include: Micropython Micropython.