CVE-2023-33546: Out-of-bounds Write

June 1, 2023 (updated June 9, 2023)

janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

References

github.com/advisories/GHSA-gcg6-xv4f-f749
github.com/janino-compiler/janino/issues/201
nvd.nist.gov/vuln/detail/CVE-2023-33546

Detect and mitigate CVE-2023-33546 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →