CRITICAL🇵🇱 Wersja polska

CVE-2024-24188

CVSS 9.8v3.1pub. 2024-02-07upd. 2025-06-09

Jsish v3.5.0 was discovered to contain a heap-buffer-overflow in ./src/jsiUtils.c.

🤖 AI Analysis
How it works

The vulnerability consists of a heap-buffer-overflow in the jsiUtils.c module of the Jsish interpreter. An attacker can provide crafted input data that causes a write beyond the allocated heap memory area. This type of error (CWE-787 — out-of-bounds write) can be exploited to overwrite critical data structures in the process memory.

Impact

An attacker can cause arbitrary code execution (RCE), take control of the application, or cause it to crash. Due to the network vector without authentication requirements, the attack can be performed remotely without user interaction.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to monitor the project repository at https://github.com/pcmacdon/jsish for the patched version. Until the patch is applied, access to Jsish-based services from untrusted networks should be restricted.

Who is affected

Jsish version 3.5.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jsish

    APP
    Jsish
    3.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-65570CRITICAL9.8PL ✓ten sam produkt

Type confusion w Jsish 2.0 — RCE przez błędny opcode OP_NEXT

CVE-2024-24189CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Jsish v3.5.0 — podatność krytyczna w SplitChar

CVE-2024-24186CRITICAL9.8PL ✓ten sam produkt

Stack-overflow w Jsish v3.5.0 — przepełnienie stosu w IterGetKeysCallback

CVE-2020-22874CRITICAL9.8ten sam produkt

Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to...

CVE-2020-22875CRITICAL9.8ten sam produkt

Integer overflow vulnerability in function Jsi_ObjSetLength in jsish before 3.0.6, allows remote attackers to ...