EditorConfig Core Library Vulnerability
CVE-2024-53849

4.8MEDIUM

Key Information:

Vendor

Editorconfig

Status
Editorconfig-core-c
Vendor
CVE Published:
27 November 2024

What is CVE-2024-53849?

editorconfig-core-c is theEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

editorconfig-core-c < 0.12.7

References

https://github.com/editorconfig/editorconfig-core-c/secur...
x_refsource_CONFIRM
https://github.com/editorconfig/editorconfig-core-c/pull/103
x_refsource_MISC
https://github.com/editorconfig/editorconfig-core-c/commi...
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.