CVE-2024-53849 (GCVE-0-2024-53849)
Vulnerability from cvelistv5
Published
2024-11-26 23:34
Modified
2024-11-27 15:35
Severity ?
4.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-121 - Stack-based Buffer Overflow
Summary
editorconfig-core-c is theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
Vendor Product Version
editorconfig editorconfig-core-c Version: < 0.12.7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:editorconfig:editorconfig:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "editorconfig",
            "vendor": "editorconfig",
            "versions": [
              {
                "lessThan": "0.12.7",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53849",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-27T15:33:19.707403Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-27T15:35:10.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "editorconfig-core-c",
          "vendor": "editorconfig",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.12.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "editorconfig-core-c  is  theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case \u0027[\u0027 when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-26T23:34:58.784Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-475j-wc37-6274",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-475j-wc37-6274"
        },
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/pull/103",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/pull/103"
        },
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782"
        },
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/commit/a8dd5312e08abeab95ff5656d32ed3cb85fba70b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/commit/a8dd5312e08abeab95ff5656d32ed3cb85fba70b"
        },
        {
          "name": "http://editorconfig.org",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://editorconfig.org"
        }
      ],
      "source": {
        "advisory": "GHSA-475j-wc37-6274",
        "discovery": "UNKNOWN"
      },
      "title": "Several stack buffer overflows and pointer overflows in editorconfig-core-c"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53849",
    "datePublished": "2024-11-26T23:34:58.784Z",
    "dateReserved": "2024-11-22T17:30:02.140Z",
    "dateUpdated": "2024-11-27T15:35:10.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53849\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-27T00:15:18.223\",\"lastModified\":\"2024-11-27T00:15:18.223\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"editorconfig-core-c  is  theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case \u0027[\u0027 when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"editorconfig-core-c es la librer\u00eda principal de EditorConfig escrita en C (para uso de complementos que admitan el an\u00e1lisis de EditorConfig). En las versiones afectadas, pueden producirse varios desbordamientos en el caso de conmutaci\u00f3n \u0027[\u0027 cuando el patr\u00f3n de entrada contiene muchos caracteres de escape. Las barras invertidas agregadas dejan muy poco espacio en el patr\u00f3n de salida al procesar corchetes anidados, de modo que la longitud de entrada restante excede la capacidad de salida. Este problema se ha solucionado en la versi\u00f3n de lanzamiento 0.12.7. Se recomienda a los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"LOW\",\"vulnerableSystemIntegrity\":\"LOW\",\"vulnerableSystemAvailability\":\"LOW\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"references\":[{\"url\":\"http://editorconfig.org\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/editorconfig/editorconfig-core-c/commit/a8dd5312e08abeab95ff5656d32ed3cb85fba70b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/editorconfig/editorconfig-core-c/pull/103\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-475j-wc37-6274\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53849\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-27T15:33:19.707403Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:editorconfig:editorconfig:*:*:*:*:*:*:*:*\"], \"vendor\": \"editorconfig\", \"product\": \"editorconfig\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.12.7\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-27T15:34:11.647Z\"}}], \"cna\": {\"title\": \"Several stack buffer overflows and pointer overflows in editorconfig-core-c\", \"source\": {\"advisory\": \"GHSA-475j-wc37-6274\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"editorconfig\", \"product\": \"editorconfig-core-c\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.12.7\"}]}], \"references\": [{\"url\": \"https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-475j-wc37-6274\", \"name\": \"https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-475j-wc37-6274\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/editorconfig/editorconfig-core-c/pull/103\", \"name\": \"https://github.com/editorconfig/editorconfig-core-c/pull/103\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782\", \"name\": \"https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/editorconfig/editorconfig-core-c/commit/a8dd5312e08abeab95ff5656d32ed3cb85fba70b\", \"name\": \"https://github.com/editorconfig/editorconfig-core-c/commit/a8dd5312e08abeab95ff5656d32ed3cb85fba70b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://editorconfig.org\", \"name\": \"http://editorconfig.org\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"editorconfig-core-c  is  theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case \u0027[\u0027 when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-26T23:34:58.784Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53849\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-27T15:35:10.367Z\", \"dateReserved\": \"2024-11-22T17:30:02.140Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-26T23:34:58.784Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.