Why does it say in the title of the CVE "*via a crafted HTML page**." **?*
On Sunday, 12 March 2023 at 12:56:30 UTC+2 Ben Noordhuis wrote: > On Sun, Mar 12, 2023 at 9:44 AM Meir Shpilraien <me...@redis.com> wrote: > > > > Hello v8-dev, > > > > I saw some CVE descriptions which look like this: > > > > Type confusion in V8 in Google Chrome prior to 111.0.5563.64 allowed a > remote attacker to potentially exploit heap corruption via a crafted HTML > page. (Chromium security severity: High) > > > > I tried to find more specific information about such CVE's but seems > like such information is not public. I want to know if a pure V8 is expose > to such CVE's or is it only in the integration with chromium? > > > > I am asking because I want to estimate how much I am expose to such > CVE's assuming my application only embeds V8. > > > > I took the CVE list from here: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=v8 > > > > Thanks, > > Meir > > Type confusion is (to the best of my knowledge) always a bug in V8. If > you are executing untrusted JS code, then your application is likely > affected. > > The CVE you used an example is CVE-2023-1214 and was a bug in V8's > serializer. If you don't use that, you're _probably_ not affected - > but why take chances? > Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website. -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/27d15665-6d04-4fce-9fd3-7b4c29fde816n%40googlegroups.com.
