sass-lang 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk memory corruption and バッファオーバーフロー があり、vendor surface software deployment and vendor surface production workloads の利用場面で アプリケーションクラッシュ and vendor impact memory corruption などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2022-43358 | Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS). | [email protected] | 7.5 | 0.16% | 2023-08-22 | 2024-11-21 |
| CVE-2022-43357 | Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2. | [email protected] | 7.5 | 0.21% | 2023-08-22 | 2024-11-21 |
| CVE-2022-26592 | Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function. | [email protected] | 8.8 | 0.10% | 2023-08-22 | 2024-11-21 |
| CVE-2020-24025 | Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. | [email protected] | 5.3 | 0.30% | 2021-01-11 | 2024-11-21 |
| CVE-2019-18799 | LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser::parseCompoundSelector in parser_selectors.cpp. | [email protected] | 6.5 | 0.43% | 2019-11-06 | 2024-11-21 |
| CVE-2019-18798 | LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::weaveParents in ast_sel_weave.cpp. | [email protected] | 6.5 | 0.43% | 2019-11-06 | 2024-11-21 |
| CVE-2019-18797 | LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp. | [email protected] | 6.5 | 0.20% | 2019-11-06 | 2024-11-21 |
| CVE-2018-20822 | LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp). | [email protected] | 6.5 | 0.52% | 2019-04-23 | 2024-11-21 |
| CVE-2018-20821 | The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp). | [email protected] | 6.5 | 0.72% | 2019-04-23 | 2024-11-21 |
| CVE-2019-6286 | In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693. | [email protected] | 6.5 | 0.28% | 2019-01-14 | 2024-11-21 |
| CVE-2019-6284 | In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp. | [email protected] | 6.5 | 0.22% | 2019-01-14 | 2024-11-21 |
| CVE-2019-6283 | In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp. | [email protected] | 6.5 | 0.28% | 2019-01-14 | 2024-11-21 |
| CVE-2018-20190 | In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file. | [email protected] | 6.5 | 0.28% | 2018-12-17 | 2024-11-21 |
| CVE-2018-19839 | In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file. | [email protected] | 6.5 | 0.26% | 2018-12-04 | 2024-11-21 |
| CVE-2018-19838 | In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). | [email protected] | 6.5 | 0.75% | 2018-12-04 | 2024-11-21 |
| CVE-2018-19837 | In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp. | [email protected] | 6.5 | 0.68% | 2018-12-04 | 2024-11-21 |
| CVE-2018-19827 | In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact. | [email protected] | 8.8 | 0.44% | 2018-12-03 | 2024-11-21 |
| CVE-2018-19826 | In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design | [email protected] | 6.5 | 0.43% | 2018-12-03 | 2024-11-21 |
| CVE-2018-19797 | In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file. | [email protected] | 6.5 | 0.33% | 2018-12-03 | 2024-11-21 |
| CVE-2018-19219 | In LibSass 3.5-stable, there is an illegal address access at Sass::Eval::operator that will lead to a DoS attack. | [email protected] | 6.5 | 0.26% | 2018-11-12 | 2024-11-21 |