CVE-2021-24037
https://notcve.org/view.php?id=CVE-2021-24037
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected. Un uso de la memoria previamente liberada en hermes, mientras se emiten determinados mensajes de error, antes del commit d86e185e485b6330216dee8e854455c694e3a36e permite a atacantes ejecutar potencialmente código arbitrario por medio de JavaScript diseñado. Tome en cuenta que esto sólo es explotable si la aplicación que usa Hermes permite la evaluación de JavaScript no confiable. • https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e https://www.facebook.com/security/advisories/CVE-2021-24037 • CWE-416: Use After Free •
CVE-2021-23910
https://notcve.org/view.php?id=CVE-2021-23910
An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. There is an out-of-bounds array access in RemoteDiagnosisApp. Se detectó un problema en HERMES versión 2.1 en el sistema de infoentretenimiento MBUX de los vehículos Mercedes-Benz hasta 2021. Hay un acceso a un array fuera de límites en RemoteDiagnosisApp • https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-Experimental-Security-Assessment-on-Mercedes-Benz-Cars https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf https://media.daimler.com/marsMediaSite/en/instance/ko.xhtml?oid=49946866 • CWE-787: Out-of-bounds Write •
CVE-2021-23909
https://notcve.org/view.php?id=CVE-2021-23909
An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution. Se detectó un problema en HERMES versión 2.1 en el sistema de infoentretenimiento MBUX de los vehículos Mercedes-Benz hasta 2021. La MCU SH2 permite la ejecución remota de código • https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-Experimental-Security-Assessment-on-Mercedes-Benz-Cars https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf https://media.daimler.com/marsMediaSite/en/instance/ko.xhtml?oid=49946866 • CWE-787: Out-of-bounds Write •
CVE-2020-1896
https://notcve.org/view.php?id=CVE-2020-1896
A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected. Una vulnerabilidad de desbordamiento de la pila en Facebook Hermes 'builtin apply' anterior al commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) permite ejecutar un JavaScript potencialmente arbitrario. Tome en cuenta que esto solo es explotable si la aplicación que usa Hermes permite una evaluación de JavaScript no confiable. • https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2 https://www.facebook.com/security/advisories/cve-2020-1896 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2019-19561
https://notcve.org/view.php?id=CVE-2019-19561
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information. Una configuración inapropiada en la interfaz de depuración en Mercedes-Benz HERMES versión 1.5, permite a un atacante con acceso físico directo al hardware del dispositivo obtener información del módem celular • https://media.daimler.com/marsMediaSite/en/instance/ko/Mercedes-Benz-and-360-Group-to-join-forces-Mercedes-Benz-and-360-Group-with-its-Cyber-Security-Brain-work-together-to-strengthen-car-IT-security-for-industry.xhtml?oid=45208829 https://skygo.360.cn/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf • CWE-922: Insecure Storage of Sensitive Information •