CVE-2024-26134

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
https://github.com/agronholm/cbor2/pull/204
https://github.com/agronholm/cbor2/releases/tag/5.6.2
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/

Configurations

No configuration.

History

19 Apr 2024, 23:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ -

17 Apr 2024, 03:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ -

19 Feb 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-19 23:15

Updated : 2024-04-19 23:15

NVD link : CVE-2024-26134

Mitre link : CVE-2024-26134

CVE.ORG link : CVE-2024-26134

JSON object : View

Products Affected

No product.

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

{"id": "CVE-2024-26134", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-19T23:15:07.810", "references": [{"url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542", "source": "security-advisories@github.com"}, {"url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df", "source": "security-advisories@github.com"}, {"url": "https://github.com/agronholm/cbor2/pull/204", "source": "security-advisories@github.com"}, {"url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."}, {"lang": "es", "value": "cbor2 proporciona codificaci\u00f3n y decodificaci\u00f3n para el formato de serializaci\u00f3n de representaci\u00f3n concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versi\u00f3n 5.5.1 y antes de la versi\u00f3n 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versi\u00f3n 5.6.2 contiene un parche para este problema."}], "lastModified": "2024-04-19T23:15:10.433", "sourceIdentifier": "security-advisories@github.com"}