boa_engine: add information about CVE-2024-43357

crates/boa_engine/RUSTSEC-0000-0000.md

@@ -0,0 +1,45 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "boa_engine"
+date = "2024-08-14"
+url = "https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq"
+references = ["https://nvd.nist.gov/vuln/detail/CVE-2024-43357","https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7"]
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
+aliases = ["GHSA-f67q-wr6w-23jq", "CVE-2024-43367"]
+related = ["CVE-2024-43357"]
+license = "CC-BY-4.0"
+
+[versions]
+patched = [">= 0.19"]
+unaffected = ["< 0.16"]
+```
+
+# Uncaught exception when transitioning the state of `AsyncGenerator` objects from within a property getter of `then` 
+
+A wrong assumption made when handling ECMAScript's AsyncGenerator operations
+can cause an uncaught exception on certain scripts.
+
+## Details
+
+Boa's implementation of AsyncGenerator makes the assumption that the state of
+an AsyncGenerator object cannot change while resolving a promise created by
+methods of AsyncGenerator such as %AsyncGeneratorPrototype%.next,
+%AsyncGeneratorPrototype%.return, or %AsyncGeneratorPrototype%.throw.
+
+However, a carefully constructed code could trigger a state transition from
+a getter method for the promise's then property, which causes the engine to
+fail an assertion of this assumption, causing an uncaught exception. This
+could be used to create a Denial Of Service attack in applications that
+run arbitrary ECMAScript code provided by an external user.
+
+## Patches
+
+Version 0.19.0 is patched to correctly handle this case.
+
+## Workarounds
+
+Users unable to upgrade to the patched version would want to use
+std::panic::catch_unwind to ensure any exceptions caused by the
+engine don't impact the availability of the main application.