Upstream information

CVE-2024-8947 at MITRE

Description

A vulnerability was found in MicroPython 1.22.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file py/objarray.c. The manipulation leads to use after free. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 1.23.0 is able to address this issue. The identifier of the patch is 4bed614e707c0644c06e117f848fa12605c711cd. It is recommended to upgrade the affected component. In micropython objarray component, when a bytes object is resized and copied into itself, it may reference memory that has already been freed.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v2 Scores
  CNA (VulDB)
Base Score 5.1
Vector AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
CVSS v3 Scores
  CNA (VulDB) National Vulnerability Database
Base Score 5.6 8.1
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network Network
Attack Complexity High High
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact Low High
Integrity Impact Low High
Availability Impact Low High
CVSSv3 Version 3.1 3.1
CVSS v4 Scores
  CNA (VulDB)
Base Score 6.3
Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Attack Requirements None
Privileges Required None
User Interaction None
Vulnerable System Confidentiality Impact Low
Vulnerable System Integrity Impact Low
Vulnerable System Availability Impact Low
Subsequent System Confidentiality Impact None
Subsequent System Integrity Impact None
Subsequent System Availability Impact None
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1230676 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Tue Sep 17 22:00:15 2024
CVE page last modified: Wed Sep 25 14:46:13 2024