ID CVE-2019-3833
Summary Openwsman, versions up to and including 2.6.9, are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote, unauthenticated attacker can exploit this vulnerability by sending malicious HTTP request to cause denial of service to openwsman server.
References
Vulnerable Configurations
  • cpe:2.3:a:openwsman_project:openwsman:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.9:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.9:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.11:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.11:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.12:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.12:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.13:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.13:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.14:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.14:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.4.15:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.4.15:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.8:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openwsman_project:openwsman:2.6.9:*:*:*:*:*:*:*
    cpe:2.3:a:openwsman_project:openwsman:2.6.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-10-2020 - 17:58)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1674478
    title CVE-2019-3833 openwsman: Infinite loop in process_connection() allows denial of service
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment libwsman-devel is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940001
          • comment libwsman-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638002
        • AND
          • comment libwsman1 is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940003
          • comment libwsman1 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638004
        • AND
          • comment openwsman-client is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940005
          • comment openwsman-client is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638006
        • AND
          • comment openwsman-perl is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940007
          • comment openwsman-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638008
        • AND
          • comment openwsman-python is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940009
          • comment openwsman-python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638010
        • AND
          • comment openwsman-ruby is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940011
          • comment openwsman-ruby is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638012
        • AND
          • comment openwsman-server is earlier than 0:2.6.3-7.git4391e5c.el7
            oval oval:com.redhat.rhsa:tst:20203940013
          • comment openwsman-server is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638014
    rhsa
    id RHSA-2020:3940
    released 2020-09-29
    severity Moderate
    title RHSA-2020:3940: openwsman security update (Moderate)
  • bugzilla
    id 1674478
    title CVE-2019-3833 openwsman: Infinite loop in process_connection() allows denial of service
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment libwsman-devel is earlier than 0:2.6.5-7.el8
            oval oval:com.redhat.rhsa:tst:20204689001
          • comment libwsman-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638002
        • AND
          • comment libwsman1 is earlier than 0:2.6.5-7.el8
            oval oval:com.redhat.rhsa:tst:20204689003
          • comment libwsman1 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638004
        • AND
          • comment openwsman-client is earlier than 0:2.6.5-7.el8
            oval oval:com.redhat.rhsa:tst:20204689005
          • comment openwsman-client is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638006
        • AND
          • comment openwsman-debugsource is earlier than 0:2.6.5-7.el8
            oval oval:com.redhat.rhsa:tst:20204689007
          • comment openwsman-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190972008
        • AND
          • comment openwsman-python3 is earlier than 0:2.6.5-7.el8
            oval oval:com.redhat.rhsa:tst:20204689009
          • comment openwsman-python3 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190972010
        • AND
          • comment openwsman-server is earlier than 0:2.6.5-7.el8
            oval oval:com.redhat.rhsa:tst:20204689011
          • comment openwsman-server is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190638014
    rhsa
    id RHSA-2020:4689
    released 2020-11-04
    severity Moderate
    title RHSA-2020:4689: openwsman security update (Moderate)
rpms
  • libwsman-devel-0:2.6.3-7.git4391e5c.el7
  • libwsman1-0:2.6.3-7.git4391e5c.el7
  • openwsman-client-0:2.6.3-7.git4391e5c.el7
  • openwsman-debuginfo-0:2.6.3-7.git4391e5c.el7
  • openwsman-perl-0:2.6.3-7.git4391e5c.el7
  • openwsman-python-0:2.6.3-7.git4391e5c.el7
  • openwsman-ruby-0:2.6.3-7.git4391e5c.el7
  • openwsman-server-0:2.6.3-7.git4391e5c.el7
  • libwsman-devel-0:2.6.5-7.el8
  • libwsman1-0:2.6.5-7.el8
  • libwsman1-debuginfo-0:2.6.5-7.el8
  • openwsman-client-0:2.6.5-7.el8
  • openwsman-client-debuginfo-0:2.6.5-7.el8
  • openwsman-debuginfo-0:2.6.5-7.el8
  • openwsman-debugsource-0:2.6.5-7.el8
  • openwsman-perl-debuginfo-0:2.6.5-7.el8
  • openwsman-python3-0:2.6.5-7.el8
  • openwsman-python3-debuginfo-0:2.6.5-7.el8
  • openwsman-server-0:2.6.5-7.el8
  • openwsman-server-debuginfo-0:2.6.5-7.el8
  • rubygem-openwsman-debuginfo-0:2.6.5-7.el8
refmap via4
bid 107367
confirm
fedora
  • FEDORA-2019-348166f7fd
  • FEDORA-2019-64b384de9b
  • FEDORA-2019-af0cd1b8f7
suse
  • openSUSE-SU-2019:1111
  • openSUSE-SU-2019:1217
Last major update 19-10-2020 - 17:58
Published 14-03-2019 - 22:29
Last modified 19-10-2020 - 17:58
Back to Top