CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use.

Mitre ID

CVE-2023-29458

CVSS score

5.9

Severity

Medium

Summary

JavaScript crash if too many values are put on valstack due to bug in duktape 2.6

Description

Duktape is an 3rd\-party embeddable JavaScript engine, with a focus on portability and compact footprint.

Known attack vectors

This vulnerability could be uses to intentionally add too many values into valstack to crush JavaScript

Patch provided 

No

Component/s

Proxy, Server

Affected version/s and fix version/s

·         Affected: 5.0.34, 6.0.17, 6.4.2, 7.0.0alpha1  
·         Fix: 5.0.35rc1, 6.0.18rc1, 6.4.3rc1, 7.0.0alpha1

Fix compatibility tests

\-

Resolution

Fixed

Workarounds

 

Acknowledgements

nepalihacker0x01

Headline

CVE-2023-29458: [ZBX-22989] Duktape 2.6 bug crashes JavaScript putting too many values in valstack (CVE-2023-29458)

CVE: Latest News