CVE-2020-1915

CVE-2020-1915

Name

CVE-2020-1915

Description

An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://github.com/facebook/hermes/commit/8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0
Vendor Advisory	https://www.facebook.com/security/advisories/cve-2020-1915

Type

URI

Patch

https://github.com/facebook/hermes/commit/8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0

Vendor Advisory

https://www.facebook.com/security/advisories/cve-2020-1915

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:facebook:hermes::::::::`	hermes	>= None	< 2020-09-25

CPE URI

Source package

Min version

Max version

cpe:2.3:a:facebook:hermes:*:*:*:*:*:*:*:*

hermes

>= None

< 2020-09-25

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
hermes	3.13-community	1.9-r7	ScrumpyJack <scrumpyjack@st.ilet.to>	fixed
hermes	3.14-community	1.9-r7	ScrumpyJack <scrumpyjack@st.ilet.to>	fixed
hermes	3.15-community	1.9-r8	ScrumpyJack <scrumpyjack@st.ilet.to>	fixed
hermes	3.16-community	1.9-r8	ScrumpyJack <scrumpyjack@st.ilet.to>	fixed
hermes	edge-community	1.9-r9	ScrumpyJack <scrumpyjack@st.ilet.to>	fixed
hermes	3.17-community	1.9-r9	ScrumpyJack <scrumpyjack@st.ilet.to>	fixed

Source package

Branch

Version

Maintainer

Status

hermes

3.13-community

1.9-r7

ScrumpyJack <scrumpyjack@st.ilet.to>

fixed

hermes

3.14-community