Common Weakness Enumeration

CWE-131

Allowed

Incorrect Calculation of Buffer Size

Abstraction: Base · Status: Draft

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

270 vulnerabilities reference this CWE, most recent first.

CVE-2021-21793 (GCVE-0-2021-21793)

Vulnerability from cvelistv5 – Published: 2021-07-08 11:11 – Updated: 2024-08-03 18:23
VLAI
Summary
An out-of-bounds write vulnerability exists in the JPG sof_nb_comp header processing functionality of Accusoft ImageGear 19.8 and 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
Impacted products
Vendor Product Version
n/a Accusoft Affected: Accusoft ImageGear 19.8 , Accusoft ImageGear 19.9
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:23:29.461Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1257"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accusoft",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Accusoft ImageGear 19.8 , Accusoft ImageGear 19.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write vulnerability exists in the JPG sof_nb_comp header processing functionality of Accusoft ImageGear 19.8 and 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-08T11:11:53.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1257"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2021-21793",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accusoft",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Accusoft ImageGear 19.8 , Accusoft ImageGear 19.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An out-of-bounds write vulnerability exists in the JPG sof_nb_comp header processing functionality of Accusoft ImageGear 19.8 and 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131: Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1257",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1257"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2021-21793",
    "datePublished": "2021-07-08T11:11:53.000Z",
    "dateReserved": "2021-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:23:29.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-21782 (GCVE-0-2021-21782)

Vulnerability from cvelistv5 – Published: 2021-03-31 14:00 – Updated: 2024-08-03 18:23
VLAI
Summary
An out-of-bounds write vulnerability exists in the SGI format buffer size processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
Impacted products
Vendor Product Version
n/a Accusoft Affected: Accusoft ImageGear Accusoft ImageGear 19.8
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:23:29.470Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1244"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accusoft",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Accusoft ImageGear Accusoft ImageGear 19.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write vulnerability exists in the SGI format buffer size processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-31T14:00:57.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1244"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2021-21782",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accusoft",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Accusoft ImageGear Accusoft ImageGear 19.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An out-of-bounds write vulnerability exists in the SGI format buffer size processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131: Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1244",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1244"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2021-21782",
    "datePublished": "2021-03-31T14:00:57.000Z",
    "dateReserved": "2021-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:23:29.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-21776 (GCVE-0-2021-21776)

Vulnerability from cvelistv5 – Published: 2021-03-31 14:00 – Updated: 2024-08-03 18:23
VLAI
Summary
An out-of-bounds write vulnerability exists in the SGI Format Buffer Size Processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
Impacted products
Vendor Product Version
n/a Accusoft Affected: Accusoft ImageGear Accusoft ImageGear 19.8
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:23:29.474Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1232"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accusoft",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Accusoft ImageGear Accusoft ImageGear 19.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write vulnerability exists in the SGI Format Buffer Size Processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-31T14:00:37.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1232"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2021-21776",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accusoft",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Accusoft ImageGear Accusoft ImageGear 19.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An out-of-bounds write vulnerability exists in the SGI Format Buffer Size Processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131: Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1232",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1232"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2021-21776",
    "datePublished": "2021-03-31T14:00:37.000Z",
    "dateReserved": "2021-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:23:29.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-21773 (GCVE-0-2021-21773)

Vulnerability from cvelistv5 – Published: 2021-03-31 13:59 – Updated: 2024-08-03 18:23
VLAI
Summary
An out-of-bounds write vulnerability exists in the TIFF header count-processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
Impacted products
Vendor Product Version
n/a Accusoft Affected: Accusoft ImageGear 19.8
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:23:29.228Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1227"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accusoft",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Accusoft ImageGear 19.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write vulnerability exists in the TIFF header count-processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-31T13:59:31.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1227"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2021-21773",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accusoft",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Accusoft ImageGear 19.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An out-of-bounds write vulnerability exists in the TIFF header count-processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 8.1,
            "baseSeverity": "High",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131: Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1227",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1227"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2021-21773",
    "datePublished": "2021-03-31T13:59:31.000Z",
    "dateReserved": "2021-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:23:29.228Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-4155 (GCVE-0-2021-4155)

Vulnerability from cvelistv5 – Published: 2022-08-24 15:10 – Updated: 2024-08-03 17:16
VLAI
Summary
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
Severity
No CVSS data available.
CWE
  • CWE-131 - - Incorrect Calculation of Buffer Size
Assigner
Impacted products
Vendor Product Version
n/a kernel Affected: Fixed in Kernel v5.16
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:16:04.255Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2022/01/10/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034813"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-4155"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/CVE-2021-4155"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=983d8e60f50806f90534cc5373d0ce867e5aaf79"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in Kernel v5.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131 - Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-24T15:10:19.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2022/01/10/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034813"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2021-4155"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security-tracker.debian.org/tracker/CVE-2021-4155"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=983d8e60f50806f90534cc5373d0ce867e5aaf79"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-4155",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in Kernel v5.16"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131 - Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.openwall.com/lists/oss-security/2022/01/10/1",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2022/01/10/1"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2034813",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034813"
            },
            {
              "name": "https://access.redhat.com/security/cve/CVE-2021-4155",
              "refsource": "MISC",
              "url": "https://access.redhat.com/security/cve/CVE-2021-4155"
            },
            {
              "name": "https://security-tracker.debian.org/tracker/CVE-2021-4155",
              "refsource": "MISC",
              "url": "https://security-tracker.debian.org/tracker/CVE-2021-4155"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=983d8e60f50806f90534cc5373d0ce867e5aaf79",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=983d8e60f50806f90534cc5373d0ce867e5aaf79"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-4155",
    "datePublished": "2022-08-24T15:10:19.000Z",
    "dateReserved": "2021-12-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:16:04.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3491 (GCVE-0-2021-3491)

Vulnerability from cvelistv5 – Published: 2021-06-04 01:40 – Updated: 2024-09-16 22:09
VLAI
Title
Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
Summary
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
Impacted products
Vendor Product Version
Linux Linux kernel Affected: trunk , < v5.13-rc4 (custom)
Affected: linux-5.12.y , < v5.12.4 (custom)
Affected: linux-5.11.y , < v5.11.21 (custom)
Affected: linux-5.10.y , < v5.10.37 (custom)
Affected: v5.7-rc1 , < 5.7* (custom)
Create a notification for this product.
Date Public
2021-05-11 00:00
Credits
Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's Zero Day Initiative
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.728Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/notices/USN-4950-1"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/notices/USN-4949-1"
          },
          {
            "name": "[oss-security] CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT  bypass",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2021/05/11/13"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-589/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210716-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Linux kernel",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "v5.13-rc4",
              "status": "affected",
              "version": "trunk",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.12.4",
              "status": "affected",
              "version": "linux-5.12.y",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.11.21",
              "status": "affected",
              "version": "linux-5.11.y",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.10.37",
              "status": "affected",
              "version": "linux-5.10.y",
              "versionType": "custom"
            },
            {
              "lessThan": "5.7*",
              "status": "affected",
              "version": "v5.7-rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro\u0027s Zero Day Initiative"
        }
      ],
      "datePublic": "2021-05-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/\u003cPID\u003e/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (\"io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\") (v5.7-rc1)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131 Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-16T10:06:31.000Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://ubuntu.com/security/notices/USN-4950-1"
        },
        {
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://ubuntu.com/security/notices/USN-4949-1"
        },
        {
          "name": "[oss-security] CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT  bypass",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2021/05/11/13"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-589/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210716-0004/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT  bypass",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@ubuntu.com",
          "DATE_PUBLIC": "2021-05-11 17:00:00 +0000",
          "ID": "CVE-2021-3491",
          "STATE": "PUBLIC",
          "TITLE": "Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT  bypass"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Linux kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "trunk",
                            "version_value": "v5.13-rc4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "linux-5.12.y",
                            "version_value": "v5.12.4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "linux-5.11.y",
                            "version_value": "v5.11.21"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "linux-5.10.y",
                            "version_value": "v5.10.37"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "5.7",
                            "version_value": "v5.7-rc1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Linux"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro\u0027s Zero Day Initiative"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/\u003cPID\u003e/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (\"io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\") (v5.7-rc1)."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131 Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ubuntu.com/security/notices/USN-4950-1",
              "refsource": "UBUNTU",
              "url": "https://ubuntu.com/security/notices/USN-4950-1"
            },
            {
              "name": "https://ubuntu.com/security/notices/USN-4949-1",
              "refsource": "UBUNTU",
              "url": "https://ubuntu.com/security/notices/USN-4949-1"
            },
            {
              "name": "[oss-security] CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT  bypass",
              "refsource": "MLIST",
              "url": "https://www.openwall.com/lists/oss-security/2021/05/11/13"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-589/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-589/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210716-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210716-0004/"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2021-3491",
    "datePublished": "2021-06-04T01:40:20.936Z",
    "dateReserved": "2021-04-09T00:00:00.000Z",
    "dateUpdated": "2024-09-16T22:09:25.883Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-0254 (GCVE-0-2021-0254)

Vulnerability from cvelistv5 – Published: 2021-04-22 19:37 – Updated: 2024-09-16 20:11
VLAI
Title
Junos OS: Remote code execution vulnerability in overlayd service
Summary
A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS. The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution. overlayd runs by default in MX Series, ACX Series, and QFX Series platforms. The SRX Series does not support VXLAN and is therefore not vulnerable to this issue. Other platforms are also vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured. This issue affects Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7; 19.1 versions prior to 19.1R2-S2, 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2-S1, 20.1R3; 20.2 versions prior to 20.2R2, 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
  • Denial of Service (DoS)
Assigner
References
URL Tags
https://kb.juniper.net/JSA11147 x_refsource_MISC
Impacted products
Vendor Product Version
Juniper Networks Junos OS Affected: 15.1 , < 15.1R7-S9 (custom)
Affected: 17.3 , < 17.3R3-S11 (custom)
Affected: 17.4 , < 17.4R2-S13, 17.4R3-S4 (custom)
Affected: 18.1 , < 18.1R3-S12 (custom)
Affected: 18.2 , < 18.2R2-S8, 18.2R3-S7 (custom)
Affected: 18.3 , < 18.3R3-S4 (custom)
Affected: 18.4 , < 18.4R1-S8, 18.4R2-S7, 18.4R3-S7 (custom)
Affected: 19.1 , < 19.1R2-S2, 19.1R3-S4 (custom)
Affected: 19.2 , < 19.2R1-S6, 19.2R3-S2 (custom)
Affected: 19.3 , < 19.3R3-S1 (custom)
Affected: 19.4 , < 19.4R2-S4, 19.4R3-S1 (custom)
Affected: 20.1 , < 20.1R2-S1, 20.1R3 (custom)
Affected: 20.2 , < 20.2R2, 20.2R2-S1, 20.2R3 (custom)
Affected: 20.3 , < 20.3R1-S1 (custom)
Create a notification for this product.
Date Public
2021-04-14 00:00
Credits
Juniper SIRT would like to acknowledge and thank Hoàng Thạch Nguyễn (d4rkn3ss) of STAR Labs for responsibly reporting this vulnerability.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:32:10.313Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kb.juniper.net/JSA11147"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "15.1R7-S9",
              "status": "affected",
              "version": "15.1",
              "versionType": "custom"
            },
            {
              "lessThan": "17.3R3-S11",
              "status": "affected",
              "version": "17.3",
              "versionType": "custom"
            },
            {
              "lessThan": "17.4R2-S13, 17.4R3-S4",
              "status": "affected",
              "version": "17.4",
              "versionType": "custom"
            },
            {
              "lessThan": "18.1R3-S12",
              "status": "affected",
              "version": "18.1",
              "versionType": "custom"
            },
            {
              "lessThan": "18.2R2-S8, 18.2R3-S7",
              "status": "affected",
              "version": "18.2",
              "versionType": "custom"
            },
            {
              "lessThan": "18.3R3-S4",
              "status": "affected",
              "version": "18.3",
              "versionType": "custom"
            },
            {
              "lessThan": "18.4R1-S8, 18.4R2-S7, 18.4R3-S7",
              "status": "affected",
              "version": "18.4",
              "versionType": "custom"
            },
            {
              "lessThan": "19.1R2-S2, 19.1R3-S4",
              "status": "affected",
              "version": "19.1",
              "versionType": "custom"
            },
            {
              "lessThan": "19.2R1-S6, 19.2R3-S2",
              "status": "affected",
              "version": "19.2",
              "versionType": "custom"
            },
            {
              "lessThan": "19.3R3-S1",
              "status": "affected",
              "version": "19.3",
              "versionType": "custom"
            },
            {
              "lessThan": "19.4R2-S4, 19.4R3-S1",
              "status": "affected",
              "version": "19.4",
              "versionType": "custom"
            },
            {
              "lessThan": "20.1R2-S1, 20.1R3",
              "status": "affected",
              "version": "20.1",
              "versionType": "custom"
            },
            {
              "lessThan": "20.2R2, 20.2R2-S1, 20.2R3",
              "status": "affected",
              "version": "20.2",
              "versionType": "custom"
            },
            {
              "lessThan": "20.3R1-S1",
              "status": "affected",
              "version": "20.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "There is no minimum configuration required to be vulnerable to this issue."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juniper SIRT would like to acknowledge and thank Ho\u00e0ng Th\u1ea1ch Nguy\u1ec5n (d4rkn3ss) of STAR Labs for responsibly reporting this vulnerability."
        }
      ],
      "datePublic": "2021-04-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS. The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution. overlayd runs by default in MX Series, ACX Series, and QFX Series platforms. The SRX Series does not support VXLAN and is therefore not vulnerable to this issue. Other platforms are also vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured. This issue affects Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7; 19.1 versions prior to 19.1R2-S2, 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2-S1, 20.1R3; 20.2 versions prior to 20.2R2, 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131 Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "Denial of Service (DoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-22T19:37:15.000Z",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kb.juniper.net/JSA11147"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The following software releases have been updated to resolve this specific issue: Junos OS 15.1X49-D240,  15.1R7-S9, 17.3R3-S11, 17.4R2-S13, 17.4R3-S4, 18.1R3-S12, 18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S7, 18.4R3-S7, 19.1R2-S2, 19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S1, 19.4R2-S4, 19.4R3-S1, 20.1R2-S1, 20.1R3, 20.2R2, 20.2R2-S1, 20.2R3, 20.3R1-S1, 20.4R1, and all subsequent releases.\n\nThis fix has also been proactively committed into other releases that might not be vulnerable to this issue."
        }
      ],
      "source": {
        "advisory": "JSA11147",
        "defect": [
          "1548415"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Junos OS: Remote code execution vulnerability in overlayd service",
      "workarounds": [
        {
          "lang": "en",
          "value": "Two methods exist to mitigate this issue:\n\n1. Limit the exploitable attack surface of critical infrastructure networking equipment by using access lists or firewall filters to limit access to the device via UDP only from trusted, administrative networks or hosts.\n\n2. Disable Overlay OAM packet via the configuration command: \u0027set system processes overlay-ping-traceroute disable\u0027"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@juniper.net",
          "DATE_PUBLIC": "2021-04-14T16:00:00.000Z",
          "ID": "CVE-2021-0254",
          "STATE": "PUBLIC",
          "TITLE": "Junos OS: Remote code execution vulnerability in overlayd service"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Junos OS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "15.1",
                            "version_value": "15.1R7-S9"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "17.3",
                            "version_value": "17.3R3-S11"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "17.4",
                            "version_value": "17.4R2-S13, 17.4R3-S4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "18.1",
                            "version_value": "18.1R3-S12"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "18.2",
                            "version_value": "18.2R2-S8, 18.2R3-S7"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "18.3",
                            "version_value": "18.3R3-S4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "18.4",
                            "version_value": "18.4R1-S8, 18.4R2-S7, 18.4R3-S7"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "19.1",
                            "version_value": "19.1R2-S2, 19.1R3-S4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "19.2",
                            "version_value": "19.2R1-S6, 19.2R3-S2"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "19.3",
                            "version_value": "19.3R3-S1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "19.4",
                            "version_value": "19.4R2-S4, 19.4R3-S1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "20.1",
                            "version_value": "20.1R2-S1, 20.1R3"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "20.2",
                            "version_value": "20.2R2, 20.2R2-S1, 20.2R3"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "20.3",
                            "version_value": "20.3R1-S1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Juniper Networks"
              }
            ]
          }
        },
        "configuration": [
          {
            "lang": "en",
            "value": "There is no minimum configuration required to be vulnerable to this issue."
          }
        ],
        "credit": [
          {
            "lang": "eng",
            "value": "Juniper SIRT would like to acknowledge and thank Ho\u00e0ng Th\u1ea1ch Nguy\u1ec5n (d4rkn3ss) of STAR Labs for responsibly reporting this vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS. The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution. overlayd runs by default in MX Series, ACX Series, and QFX Series platforms. The SRX Series does not support VXLAN and is therefore not vulnerable to this issue. Other platforms are also vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured. This issue affects Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7; 19.1 versions prior to 19.1R2-S2, 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2-S1, 20.1R3; 20.2 versions prior to 20.2R2, 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131 Incorrect Calculation of Buffer Size"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (DoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.juniper.net/JSA11147",
              "refsource": "MISC",
              "url": "https://kb.juniper.net/JSA11147"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The following software releases have been updated to resolve this specific issue: Junos OS 15.1X49-D240,  15.1R7-S9, 17.3R3-S11, 17.4R2-S13, 17.4R3-S4, 18.1R3-S12, 18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S7, 18.4R3-S7, 19.1R2-S2, 19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S1, 19.4R2-S4, 19.4R3-S1, 20.1R2-S1, 20.1R3, 20.2R2, 20.2R2-S1, 20.2R3, 20.3R1-S1, 20.4R1, and all subsequent releases.\n\nThis fix has also been proactively committed into other releases that might not be vulnerable to this issue."
          }
        ],
        "source": {
          "advisory": "JSA11147",
          "defect": [
            "1548415"
          ],
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Two methods exist to mitigate this issue:\n\n1. Limit the exploitable attack surface of critical infrastructure networking equipment by using access lists or firewall filters to limit access to the device via UDP only from trusted, administrative networks or hosts.\n\n2. Disable Overlay OAM packet via the configuration command: \u0027set system processes overlay-ping-traceroute disable\u0027"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2021-0254",
    "datePublished": "2021-04-22T19:37:15.413Z",
    "dateReserved": "2020-10-27T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:11:30.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-14385 (GCVE-0-2020-14385)

Vulnerability from cvelistv5 – Published: 2020-09-15 21:14 – Updated: 2024-08-04 12:46
VLAI
Summary
A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Kernel kernel Affected: before 5.9-rc4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:46:34.096Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"
          },
          {
            "name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
          },
          {
            "name": "openSUSE-SU-2020:1586",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"
          },
          {
            "name": "USN-4576-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4576-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "Linux Kernel",
          "versions": [
            {
              "status": "affected",
              "version": "before 5.9-rc4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-15T22:06:09.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"
        },
        {
          "name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
        },
        {
          "name": "openSUSE-SU-2020:1586",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"
        },
        {
          "name": "USN-4576-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4576-1/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-14385",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 5.9-rc4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Linux Kernel"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.5/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14385"
            },
            {
              "name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
            },
            {
              "name": "openSUSE-SU-2020:1586",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html"
            },
            {
              "name": "USN-4576-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4576-1/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14385",
    "datePublished": "2020-09-15T21:14:53.000Z",
    "dateReserved": "2020-06-17T00:00:00.000Z",
    "dateUpdated": "2024-08-04T12:46:34.096Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-13585 (GCVE-0-2020-13585)

Vulnerability from cvelistv5 – Published: 2021-02-10 21:45 – Updated: 2024-08-04 12:25
VLAI
Summary
An out-of-bounds write vulnerability exists in the PSD Header processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
Impacted products
Vendor Product Version
n/a Accusoft Affected: Accusoft ImageGear 19.8
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:25:15.940Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1196"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accusoft",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Accusoft ImageGear 19.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write vulnerability exists in the PSD Header processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-10T21:45:01.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1196"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2020-13585",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accusoft",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Accusoft ImageGear 19.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An out-of-bounds write vulnerability exists in the PSD Header processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131: Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1196",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1196"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2020-13585",
    "datePublished": "2021-02-10T21:45:01.000Z",
    "dateReserved": "2020-05-26T00:00:00.000Z",
    "dateUpdated": "2024-08-04T12:25:15.940Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-6108 (GCVE-0-2020-6108)

Vulnerability from cvelistv5 – Published: 2020-10-15 14:45 – Updated: 2024-08-04 08:47
VLAI
Summary
An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.
CWE
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
URL Tags
https://talosintelligence.com/vulnerability_repor… x_refsource_MISC
https://security.gentoo.org/glsa/202101-26 vendor-advisoryx_refsource_GENTOO
Impacted products
Vendor Product Version
n/a F2fs-Tools Affected: F2fs-Tools F2fs.Fsck 1.13
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:47:41.106Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050"
          },
          {
            "name": "GLSA-202101-26",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202101-26"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "F2fs-Tools",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "F2fs-Tools F2fs.Fsck 1.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131: Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-26T02:06:13.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050"
        },
        {
          "name": "GLSA-202101-26",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202101-26"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2020-6108",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "F2fs-Tools",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "F2fs-Tools F2fs.Fsck 1.13"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 8.2,
            "baseSeverity": "High",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-131: Incorrect Calculation of Buffer Size"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050"
            },
            {
              "name": "GLSA-202101-26",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202101-26"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2020-6108",
    "datePublished": "2020-10-15T14:45:32.000Z",
    "dateReserved": "2020-01-07T00:00:00.000Z",
    "dateUpdated": "2024-08-04T08:47:41.106Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Implementation

When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&amp;" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.

Mitigation MIT-36
Implementation
  • Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
  • Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-8
Implementation

Strategy: Input Validation

Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.

Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Implementation

When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).

Mitigation
Implementation

When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.

Mitigation MIT-13
Implementation

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

Mitigation
Implementation

Use sizeof() on the appropriate data type to avoid CWE-467.

Mitigation
Implementation

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.

Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size.
  • Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Operation

Strategy: Environment Hardening

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-26
Implementation

Strategy: Compilation or Build Hardening

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

CAPEC-47: Buffer Overflow via Parameter Expansion

In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.