CVE-2024-53849 — Vulnetix

CVE-2024-53849 PUBLISHED CVSS 4.800000190734863 MEDIUM

editorconfig-core-c is theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS 0.17% · 38.2th percentile

Risk Scores

CVSS 4.0

4.800000190734863

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS Score

0.17%

38.2th percentile

Affected Products

Vendor	Product	Versions
editorconfig	editorconfig-core-c	< 0.12.7
editorconfig	editorconfig	0

Exploit Intelligence

CIRCL seen: CVE-2024-53849 (circl-sighting)
CIRCL seen: CVE-2024-53849 (circl-sighting)
https://lists.debian.org/debian-lts-announce/2024/11/msg00036.html (circl)
https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-475j-wc37-6274 (circl)
https://github.com/editorconfig/editorconfig-core-c/pull/103 (circl)
https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782 (circl)
https://github.com/editorconfig/editorconfig-core-c/commit/a8dd5312e08abeab95ff5656d32ed3cb85fba70b (circl)
http://editorconfig.org (circl)

Timeline

Jan 20, 1970 Fix PR Merged
Jan 21, 1970 Security Advisory
Nov 26, 2024 CVE Published
Nov 26, 2024 PoC Published
Nov 27, 2024 EPSS Score
Nov 27, 2024 Coalition ESS Score
Dec 15, 2024 EPSS Score
Jan 1, 2025 EPSS Score
Jan 19, 2025 EPSS Score
Feb 5, 2025 EPSS Score
Feb 22, 2025 EPSS Score
Mar 11, 2025 EPSS Score

References

Open in Interactive Console →