Whether V8: CVE-2024-3159 and V8: CVE-2024-3156 have impact on the use of nodejs ? #184
Labels
Comments
yansf
changed the title
yansf
changed the title
|
@targos I think you have access to the actual chromium disclosures to take a look? |
|
Both just need plain JS code to be triggered. |
|
@targos which I think means they are outside of the Node.js threat model because we trust the code you ask Node.js to run, right? |
|
yes |
|
@targos given chromium has fixed them in v8 and node.js has v8 code, I am not sure whether node.js applied those fixed of v8 from chromium. Pls. kindly advise further. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
21.7.2
Platform
No response
Subsystem
No response
What steps will reproduce the bug?
No response
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior? Why is that the expected behavior?
No response
What do you see instead?
Hi colleague,
In recent BDBA scan, there are two CVE:
CVE-2024-3159
CVE-2024-3156
detected in node.js.
According to the description of above, it was detected in V8 in Google Chrome. Here we would like to further confirm whether it is true positive in node.js or not.
Additional information
3159: Out of bounds memory access in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
3156: Inappropriate implementation in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Best regards,
Shaofeng
The text was updated successfully, but these errors were encountered: