* CVE-2020-24346 Description: "njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_parse_iterator_call in njs_json.c." Bug: https://github.com/nginx/njs/issues/325 * CVE-2020-24347 Description: "njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c." Bug: https://github.com/nginx/njs/issues/323 * CVE-2020-24348 Description: "njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c." Bug: https://github.com/nginx/njs/issues/322 * CVE-2020-24349 Description: "njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface." Bug: https://github.com/nginx/njs/issues/324
All bugs were marked as "fluff" by upstream, and on one bug: "Regarding remote exploitability: nginx-njs threat model considers njs code as a part of nginx configuration (which includes among other things certificates and keys). So, njs code is expected to be not controllable by a remote user." but I'll let Whissi vote on this given it's his package.
Upstream considers reported issues as normal bugs because in NJS there is no way to dynamically execute any code -- all JS code is statically compiled at nginx start (https://github.com/nginx/njs/issues/324#issuecomment-688677832). All done, repository is clean.
