AmazonALAS-2021-1513Medium: graphviz
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
77.0%
Issue Overview:
A flaw was found in graphviz. A wrong assumption in record_init function leads to an off-by-one write in parse_reclbl function, allowing an attacker who can provide graph input to potentially execute code when the label of a node is invalid and shorter than two characters. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-18032)
Affected Packages:
graphviz
Issue Correction:
Run yum update graphviz to update your system.
New Packages:
i686:
graphviz-python27-2.38.0-18.52.amzn1.i686
graphviz-guile-2.38.0-18.52.amzn1.i686
graphviz-doc-2.38.0-18.52.amzn1.i686
graphviz-devel-2.38.0-18.52.amzn1.i686
graphviz-python26-2.38.0-18.52.amzn1.i686
graphviz-ruby-2.38.0-18.52.amzn1.i686
graphviz-php54-2.38.0-18.52.amzn1.i686
graphviz-tcl-2.38.0-18.52.amzn1.i686
graphviz-2.38.0-18.52.amzn1.i686
graphviz-R-2.38.0-18.52.amzn1.i686
graphviz-java-2.38.0-18.52.amzn1.i686
graphviz-lua-2.38.0-18.52.amzn1.i686
graphviz-graphs-2.38.0-18.52.amzn1.i686
graphviz-debuginfo-2.38.0-18.52.amzn1.i686
graphviz-gd-2.38.0-18.52.amzn1.i686
graphviz-perl-2.38.0-18.52.amzn1.i686
src:
graphviz-2.38.0-18.52.amzn1.src
x86_64:
graphviz-devel-2.38.0-18.52.amzn1.x86_64
graphviz-lua-2.38.0-18.52.amzn1.x86_64
graphviz-tcl-2.38.0-18.52.amzn1.x86_64
graphviz-perl-2.38.0-18.52.amzn1.x86_64
graphviz-python26-2.38.0-18.52.amzn1.x86_64
graphviz-gd-2.38.0-18.52.amzn1.x86_64
graphviz-guile-2.38.0-18.52.amzn1.x86_64
graphviz-graphs-2.38.0-18.52.amzn1.x86_64
graphviz-R-2.38.0-18.52.amzn1.x86_64
graphviz-java-2.38.0-18.52.amzn1.x86_64
graphviz-2.38.0-18.52.amzn1.x86_64
graphviz-ruby-2.38.0-18.52.amzn1.x86_64
graphviz-doc-2.38.0-18.52.amzn1.x86_64
graphviz-debuginfo-2.38.0-18.52.amzn1.x86_64
graphviz-php54-2.38.0-18.52.amzn1.x86_64
graphviz-python27-2.38.0-18.52.amzn1.x86_64
Additional References
Red Hat: CVE-2020-18032
Mitre: CVE-2020-18032
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | graphviz-python27 | < 2.38.0-18.52.amzn1 | graphviz-python27-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-guile | < 2.38.0-18.52.amzn1 | graphviz-guile-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-doc | < 2.38.0-18.52.amzn1 | graphviz-doc-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-devel | < 2.38.0-18.52.amzn1 | graphviz-devel-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-python26 | < 2.38.0-18.52.amzn1 | graphviz-python26-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-ruby | < 2.38.0-18.52.amzn1 | graphviz-ruby-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-php54 | < 2.38.0-18.52.amzn1 | graphviz-php54-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-tcl | < 2.38.0-18.52.amzn1 | graphviz-tcl-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz | < 2.38.0-18.52.amzn1 | graphviz-2.38.0-18.52.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | graphviz-r | < 2.38.0-18.52.amzn1 | graphviz-R-2.38.0-18.52.amzn1.i686.rpm |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
77.0%