CVE-2022-43357

Name
CVE-2022-43357
Description
Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/sass/libsass/issues/3177
MISC https://github.com/sass/libsass
MISC https://drive.google.com/file/d/1aC5q3czen0atI91fuBIoCBFkS30_OSWX/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:sass-lang:sassc:3.6.2:*:*:*:*:*:*:* sassc == None == 3.6.2
cpe:2.3:a:sass-lang:libsass:3.6.5-8-g210218:*:*:*:*:*:*:* libsass == None == 3.6.5-8-g210218

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
sassc edge-community 3.6.2-r2 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
sassc 3.18-community 3.6.2-r1 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
sassc 3.19-community 3.6.2-r2 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
libsass edge-community 3.6.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
libsass 3.19-community 3.6.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
sassc 3.20-community 3.6.2-r2 Thomas Boerger <thomas@webhippie.de> possibly vulnerable
libsass 3.20-community 3.6.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed