CVE-2019-14850 - A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker co

CVE-2019-14850

Summary

A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.

References

Vulnerable Configurations

cpe:2.3:a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:*
cpe:2.3:a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

CVSS

Base:	2.6 (as of 24-03-2021 - 18:05)
Impact:
Exploitability:

CWE

CWE-406

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:N/C:N/I:N/A:P

redhat via4

advisories

bugzilla

id	1757258
title	CVE-2019-14850 nbdkit: denial of service due to premature opening of back-end connection

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment nbdkit is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167001
comment nbdkit is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191175126

AND

comment nbdkit-basic-plugins is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167003
comment nbdkit-basic-plugins is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191175130

AND
comment nbdkit-devel is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167005
comment nbdkit-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191175134

AND

comment nbdkit-example-plugins is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167007
comment nbdkit-example-plugins is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191175136

AND

comment nbdkit-plugin-python-common is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167009
comment nbdkit-plugin-python-common is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191175140

AND

comment nbdkit-plugin-python2 is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167011
comment nbdkit-plugin-python2 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20201167012

AND

comment nbdkit-plugin-vddk is earlier than 0:1.8.0-3.el7
oval oval:com.redhat.rhsa:tst:20201167013
comment nbdkit-plugin-vddk is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191175144

rhsa

id	RHSA-2020:1167
released	2020-03-31
severity	Low
title	RHSA-2020:1167: nbdkit security and bug fix update (Low)

rpms

nbdkit-0:1.8.0-3.el7
nbdkit-basic-plugins-0:1.8.0-3.el7
nbdkit-debuginfo-0:1.8.0-3.el7
nbdkit-devel-0:1.8.0-3.el7
nbdkit-example-plugins-0:1.8.0-3.el7
nbdkit-plugin-python-common-0:1.8.0-3.el7
nbdkit-plugin-python2-0:1.8.0-3.el7
nbdkit-plugin-vddk-0:1.8.0-3.el7

Last major update

24-03-2021 - 18:05

Published

18-03-2021 - 19:15

Last modified

24-03-2021 - 18:05