Vulnerabilites related to agronholm - cbor2
Vulnerability from fkie_nvd
Published
2024-02-19 23:15
Modified
2025-01-02 14:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| agronholm | cbor2 | * | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*",
"matchCriteriaId": "29EB593C-8078-4174-9947-A3590CF93D51",
"versionEndExcluding": "5.6.2",
"versionStartIncluding": "5.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
"matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."
},
{
"lang": "es",
"value": "cbor2 proporciona codificaci\u00f3n y decodificaci\u00f3n para el formato de serializaci\u00f3n de representaci\u00f3n concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versi\u00f3n 5.5.1 y antes de la versi\u00f3n 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versi\u00f3n 5.6.2 contiene un parche para este problema."
}
],
"id": "CVE-2024-26134",
"lastModified": "2025-01-02T14:18:48.553",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-19T23:15:07.810",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/agronholm/cbor2/pull/204"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/agronholm/cbor2/pull/204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2024-26134
Vulnerability from cvelistv5
Published
2024-02-19 22:13
Modified
2025-02-13 17:41
Severity ?
EPSS score ?
Summary
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.554Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
},
{
"name": "https://github.com/agronholm/cbor2/pull/204",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/agronholm/cbor2/pull/204"
},
{
"name": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
},
{
"name": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
},
{
"name": "https://github.com/agronholm/cbor2/releases/tag/5.6.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:agronholm:cbor2:5.5.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cbor2",
"vendor": "agronholm",
"versions": [
{
"lessThan": "5.6.2",
"status": "affected",
"version": "5.5.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26134",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T18:24:08.985048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T13:57:54.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cbor2",
"vendor": "agronholm",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5.1, \u003c 5.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T23:06:51.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
},
{
"name": "https://github.com/agronholm/cbor2/pull/204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/agronholm/cbor2/pull/204"
},
{
"name": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
},
{
"name": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
},
{
"name": "https://github.com/agronholm/cbor2/releases/tag/5.6.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
}
],
"source": {
"advisory": "GHSA-375g-39jq-vq7m",
"discovery": "UNKNOWN"
},
"title": "CBOR2 decoder has potential buffer overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26134",
"datePublished": "2024-02-19T22:13:47.173Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2025-02-13T17:41:03.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}