How severe is CVE-2021-31875?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2021-31875?

This is classified as CWE-193, which is a common weakness in software security.

CVE-2021-31875 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow. NOTE: the original reporter disputes the significance of this finding because "there isn’t very much of an opportunity to exploit this reliably for an information leak, so there isn’t any real security impact."

Related Vulnerabilities

CVE-2001-0609

CRITICAL

CVSS:9.8(Critical)

Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed ident reply that is passed to the syslog function.

CWE-1932001

CVE-2001-1496

CRITICAL

CVSS:9.8(Critical)

Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd 1.95 through 2.20 allows remote attackers to cause a denial of service and possibly execute arbitrary code.

CWE-1932001

CVE-2002-0083

CRITICAL

CVSS:9.8(Critical)

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.

CWE-1932002

CVE-2002-1816

CRITICAL

CVSS:9.8(Critical)

Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

CWE-1932002

CVE-2003-0252

CRITICAL

CVSS:9.8(Critical)

Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via cer...

CWE-1932003

CVE-2003-0356

CRITICAL

CVSS:9.8(Critical)

Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, ...

CWE-1932003