Vulnerability Details : CVE-2021-46463
Potential exploit
njs through 0.7.1, used in NGINX, was discovered to contain a control flow hijack caused by a Type Confusion vulnerability in njs_promise_perform_then().
Products affected by CVE-2021-46463
- cpe:2.3:a:f5:njs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-46463
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-46463
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-46463
-
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-46463
-
https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992
Fixed type confusion bug while resolving promises. · nginx/njs@6a40a85 · GitHubPatch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220303-0007/
February 2022 NGINX Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/nginx/njs/issues/447
Control flow hijack caused by Type Confusion of Promise object · Issue #447 · nginx/njs · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
Jump to