Bugzilla – Bug 1211923
VUL-0: CVE-2023-33546: janino: janino 3.1.9 and earlier are subject to denial of service (DOS)
Last modified: 2023-09-07 05:53:45 UTC
janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33546 https://www.cve.org/CVERecord?id=CVE-2023-33546 https://github.com/janino-compiler/janino/issues/201
Potentially affected packages: - SUSE:SLE-15-SP2:Update/janino The GH issue is still open, let's wait for the upstream to develop a patch.
This is an autogenerated message for OBS integration: This bug (1211923) was mentioned in https://build.opensuse.org/request/show/1103981 Factory / janino
SUSE-SU-2023:3385-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1211923 CVE References: CVE-2023-33546 Sources used: openSUSE Leap 15.4 (src): janino-3.1.10-150200.3.7.1 openSUSE Leap 15.5 (src): janino-3.1.10-150200.3.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.