AmazonALAS-2019-1207Low: graphviz
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.038 Low
EPSS
Percentile
91.8%
Issue Overview:
The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz has a NULL pointer dereference, as demonstrated by graphml2gv. (CVE-2019-11023)
Affected Packages:
graphviz
Issue Correction:
Run yum update graphviz to update your system.
New Packages:
i686:
graphviz-R-2.38.0-18.51.amzn1.i686
graphviz-debuginfo-2.38.0-18.51.amzn1.i686
graphviz-graphs-2.38.0-18.51.amzn1.i686
graphviz-lua-2.38.0-18.51.amzn1.i686
graphviz-tcl-2.38.0-18.51.amzn1.i686
graphviz-python26-2.38.0-18.51.amzn1.i686
graphviz-java-2.38.0-18.51.amzn1.i686
graphviz-gd-2.38.0-18.51.amzn1.i686
graphviz-php54-2.38.0-18.51.amzn1.i686
graphviz-python27-2.38.0-18.51.amzn1.i686
graphviz-ruby-2.38.0-18.51.amzn1.i686
graphviz-2.38.0-18.51.amzn1.i686
graphviz-doc-2.38.0-18.51.amzn1.i686
graphviz-perl-2.38.0-18.51.amzn1.i686
graphviz-guile-2.38.0-18.51.amzn1.i686
graphviz-devel-2.38.0-18.51.amzn1.i686
src:
graphviz-2.38.0-18.51.amzn1.src
x86_64:
graphviz-lua-2.38.0-18.51.amzn1.x86_64
graphviz-ruby-2.38.0-18.51.amzn1.x86_64
graphviz-graphs-2.38.0-18.51.amzn1.x86_64
graphviz-gd-2.38.0-18.51.amzn1.x86_64
graphviz-2.38.0-18.51.amzn1.x86_64
graphviz-devel-2.38.0-18.51.amzn1.x86_64
graphviz-tcl-2.38.0-18.51.amzn1.x86_64
graphviz-doc-2.38.0-18.51.amzn1.x86_64
graphviz-guile-2.38.0-18.51.amzn1.x86_64
graphviz-python27-2.38.0-18.51.amzn1.x86_64
graphviz-java-2.38.0-18.51.amzn1.x86_64
graphviz-debuginfo-2.38.0-18.51.amzn1.x86_64
graphviz-python26-2.38.0-18.51.amzn1.x86_64
graphviz-R-2.38.0-18.51.amzn1.x86_64
graphviz-perl-2.38.0-18.51.amzn1.x86_64
graphviz-php54-2.38.0-18.51.amzn1.x86_64
Additional References
Red Hat: CVE-2019-11023
Mitre: CVE-2019-11023
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | graphviz-r | < 2.38.0-18.51.amzn1 | graphviz-R-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-debuginfo | < 2.38.0-18.51.amzn1 | graphviz-debuginfo-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-graphs | < 2.38.0-18.51.amzn1 | graphviz-graphs-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-lua | < 2.38.0-18.51.amzn1 | graphviz-lua-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-tcl | < 2.38.0-18.51.amzn1 | graphviz-tcl-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-python26 | < 2.38.0-18.51.amzn1 | graphviz-python26-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-java | < 2.38.0-18.51.amzn1 | graphviz-java-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-gd | < 2.38.0-18.51.amzn1 | graphviz-gd-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-php54 | < 2.38.0-18.51.amzn1 | graphviz-php54-2.38.0-18.51.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-python27 | < 2.38.0-18.51.amzn1 | graphviz-python27-2.38.0-18.51.amzn1.i686.rpm |
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.038 Low
EPSS
Percentile
91.8%