Vulnerability Details : CVE-2023-25344
Potential exploit
An issue was discovered in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to execute arbitrary code via crafted Object.prototype anonymous function.
Vulnerability category: Execute code
Products affected by CVE-2023-25344
- cpe:2.3:a:swig-templates_project:swig-templates:*:*:*:*:*:*:*:*
- cpe:2.3:a:swig_project:swig:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25344
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25344
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-25344
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2023-25344
-
https://github.com/node-swig/swig-templates/issues/89
Security Issue: code execution vulnerability during template rendering · Issue #89 · node-swig/swig-templates · GitHubExploit;Issue Tracking
-
https://www.gem-love.com/2023/02/01/Swig%E6%A8%A1%E6%9D%BF%E5%BC%95%E6%93%8E0day%E6%8C%96%E6%8E%98-%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E5%92%8C%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/
Swig模板引擎0day挖掘-代码执行和文件读取 | 颖奇L'AmoreExploit
Jump to