CVE-2020-26243

{"id": "CVE-2020-26243", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-11-25T17:15:12.200", "references": [{"url": "https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nanopb/nanopb/issues/615", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards."}, {"lang": "es", "value": "Nanopb es una implementaci\u00f3n de B\u00faferes de Protocolo de c\u00f3digo de tama\u00f1o peque\u00f1o. En Nanopb versiones anteriores a 0.4.4 y 0.3.9.7, la decodificaci\u00f3n de un mensaje formado espec\u00edficamente puede filtrar la memoria si es habilitada la asignaci\u00f3n din\u00e1mica y un campo contiene un submensaje est\u00e1tico que contiene un campo din\u00e1mico, y el mensaje que est\u00e1 siendo decodificado contiene el submensaje varias veces. Esto es raro en los mensajes normales, pero es preocupante cuando son analizados datos no fiables. Esto est\u00e1 corregido en las versiones 0.3.9.7 y 0.4.4. Est\u00e1n disponibles las siguientes soluciones provisionales: 1) Poner la opci\u00f3n \"no_unions\" para el campo uno. Esto generar\u00e1 campos como separados en lugar de la uni\u00f3n C, y evita desencadenar el c\u00f3digo problem\u00e1tico. 2) Ajustar el tipo de campo de submensaje dentro de uno de ellos a \"TP_POINTER\". De esta manera todo el submensaje ser\u00e1 asignado din\u00e1micamente y el c\u00f3digo problem\u00e1tico no ser\u00e1 ejecutado. 3) Usar un asignador de campos para el nanopb, para asegurarse de que toda la memoria pueda ser liberada despu\u00e9s"}], "lastModified": "2020-12-07T20:49:47.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2479C6C-033B-4F28-895E-9ACDEB6956F2", "versionEndExcluding": "0.3.9.7"}, {"criteria": "cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42DF75C8-803B-4F1A-AF78-929126981CBB", "versionEndExcluding": "0.4.4", "versionStartIncluding": "0.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}