Vulnerabilites related to arm - mbed-coap
Vulnerability from fkie_nvd
Published
2020-06-18 19:15
Modified
2024-11-21 05:00
Severity ?
Summary
Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ARMmbed/mbed-coap/pull/116 | Third Party Advisory | |
| cve@mitre.org | https://github.com/ARMmbed/mbed-os/issues/12930 | Third Party Advisory | |
| cve@mitre.org | https://github.com/ARMmbed/mbed-os/issues/12957 | Third Party Advisory | |
| cve@mitre.org | https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ARMmbed/mbed-coap/pull/116 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ARMmbed/mbed-os/issues/12930 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ARMmbed/mbed-os/issues/12957 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:arm:mbed-coap:5.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "514FAB1A-AD34-4295-BD7B-E417F85F16FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:arm:mbed_os:5.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B314FCEF-12B7-4510-AC5E-12D3574E3E68",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed."
},
{
"lang": "es",
"value": "Se detectaron p\u00e9rdidas de la memoria en la biblioteca CoAP en Arm Mbed OS versi\u00f3n 5.15.3 cuando se usa la biblioteca Arm mbed-coap versi\u00f3n 5.1.5. El analizador CoAP es responsable de analizar los paquetes CoAP recibidos. La funci\u00f3n sn_coap_parser_options_parse() analiza el campo CoAP option number de todas las opciones presentes en el paquete de entrada. Cada n\u00famero de opci\u00f3n es calculado como una suma del n\u00famero de opci\u00f3n previo y un delta de la opci\u00f3n actual. El delta y el n\u00famero de opci\u00f3n anterior son expresados como enteros de 16 bits sin signo. Debido a la falta de detecci\u00f3n de desbordamiento, es posible crear un paquete que contenga el n\u00famero de opci\u00f3n y resulte en que el mismo n\u00famero de opci\u00f3n sea procesado nuevamente en un solo paquete. Determinadas opciones asignan memoria llamando a una funci\u00f3n de asignaci\u00f3n de memoria. En los casos de COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY y COAP_OPTION_ETAG, no se comprueba si ya se ha asignado memoria, lo que en conjunto con el desbordamiento de enteros del n\u00famero de opci\u00f3n puede conllevar a m\u00faltiples asignaciones de memoria asignada a un \u00fanico puntero. Se ha demostrado que esto conlleva a una p\u00e9rdida de memoria mediante un hu\u00e9rfano de b\u00fafer. Como resultado, la memoria nunca es liberada"
}
],
"id": "CVE-2020-12887",
"lastModified": "2024-11-21T05:00:29.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-18T19:15:11.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ARMmbed/mbed-coap/pull/116"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12930"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12957"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ARMmbed/mbed-coap/pull/116"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12930"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12957"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
},
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
var-202006-0090
Vulnerability from variot
Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed. Arm mbed-coap The library contains a vulnerability regarding the lack of free memory after expiration.Service operation interruption (DoS) It may be put into a state. ARM Mbed OS is a set of open source embedded operating system dedicated to the Internet of Things of the British ARM company. CoAP library is one of the Constrained Application Protocol (CoAP) libraries. An attacker can use this vulnerability to cause a denial of service (memory leak)
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202006-0090",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mbed-coap",
"scope": "eq",
"trust": 1.8,
"vendor": "arm",
"version": "5.1.5"
},
{
"model": "mbed os",
"scope": "eq",
"trust": 0.6,
"vendor": "arm",
"version": "5.15.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:arm:mbed-coap",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
}
]
},
"cve": "CVE-2020-12887",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2020-12887",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-007002",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-20270",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2020-12887",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-007002",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-12887",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-007002",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2021-20270",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202006-1280",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
},
{
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed. Arm mbed-coap The library contains a vulnerability regarding the lack of free memory after expiration.Service operation interruption (DoS) It may be put into a state. ARM Mbed OS is a set of open source embedded operating system dedicated to the Internet of Things of the British ARM company. CoAP library is one of the Constrained Application Protocol (CoAP) libraries. An attacker can use this vulnerability to cause a denial of service (memory leak)",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-12887"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-12887",
"trust": 3.0
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-20270",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1280",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
},
{
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"id": "VAR-202006-0090",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
}
],
"trust": 1.3105263
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
}
]
},
"last_update_date": "2024-11-23T22:41:05.253000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Bugfix/coap parser mem access bugs #116",
"trust": 0.8,
"url": "https://github.com/ARMmbed/mbed-coap/pull/116"
},
{
"title": "Integer overflow in MbedOS CoAP library parser #12930",
"trust": 0.8,
"url": "https://github.com/ARMmbed/mbed-os/issues/12930"
},
{
"title": "Memory leak in MbedOS CoAP library parser - sn_coap_parser_options_parse() #12957",
"trust": 0.8,
"url": "https://github.com/ARMmbed/mbed-os/issues/12957"
},
{
"title": "Implemented measures to prevent memory leaks in sn_coap_parser_options_parse()",
"trust": 0.8,
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
},
{
"title": "Patch for ARM Mbed OS CoAP library input verification error vulnerability (CNVD-2021-20270)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/253736"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-401",
"trust": 1.8
},
{
"problemtype": "CWE-190",
"trust": 1.0
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "https://github.com/armmbed/mbed-os/issues/12957"
},
{
"trust": 1.6,
"url": "https://github.com/armmbed/mbed-os/issues/12930"
},
{
"trust": 1.6,
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
},
{
"trust": 1.6,
"url": "https://github.com/armmbed/mbed-coap/pull/116"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12887"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12887"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
},
{
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
},
{
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-03-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"date": "2020-07-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"date": "2020-06-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-1280"
},
{
"date": "2020-06-18T19:15:11.783000",
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-03-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-20270"
},
{
"date": "2020-07-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-007002"
},
{
"date": "2020-07-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-1280"
},
{
"date": "2024-11-21T05:00:29.737000",
"db": "NVD",
"id": "CVE-2020-12887"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Arm mbed-coap Vulnerability in lack of free memory after expiration in library",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-007002"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1280"
}
],
"trust": 0.6
}
}
CVE-2020-12887 (GCVE-0-2020-12887)
Vulnerability from cvelistv5
Published
2020-06-18 18:24
Modified
2024-08-04 12:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ARMmbed/mbed-os/issues/12957 | x_refsource_MISC | |
| https://github.com/ARMmbed/mbed-os/issues/12930 | x_refsource_MISC | |
| https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93 | x_refsource_MISC | |
| https://github.com/ARMmbed/mbed-coap/pull/116 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:18.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12957"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12930"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ARMmbed/mbed-coap/pull/116"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-18T18:24:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12957"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ARMmbed/mbed-os/issues/12930"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ARMmbed/mbed-coap/pull/116"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ARMmbed/mbed-os/issues/12957",
"refsource": "MISC",
"url": "https://github.com/ARMmbed/mbed-os/issues/12957"
},
{
"name": "https://github.com/ARMmbed/mbed-os/issues/12930",
"refsource": "MISC",
"url": "https://github.com/ARMmbed/mbed-os/issues/12930"
},
{
"name": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93",
"refsource": "MISC",
"url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"
},
{
"name": "https://github.com/ARMmbed/mbed-coap/pull/116",
"refsource": "CONFIRM",
"url": "https://github.com/ARMmbed/mbed-coap/pull/116"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12887",
"datePublished": "2020-06-18T18:24:47",
"dateReserved": "2020-05-15T00:00:00",
"dateUpdated": "2024-08-04T12:11:18.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}