Lucene search

MitreCVE-2019-20427

HistoryJan 27, 2020 - 5:15 a.m.

CVE-2019-20427

2020-01-2705:15:12

CWE-120

mitre

web.nvd.nist.gov

cve-2019-20427

lustre file system

buffer overflow

panic

remote code execution

validation

signedness error

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.016

Percentile

87.6%

JSON

In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integer signedness error.

Affected configurations

Nvd

Node

lustrelustreRange<2.12.3

VendorProductVersionCPE
lustrelustre*cpe:2.3:a:lustre:lustre:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lustre	lustre	*	cpe:2.3:a:lustre:lustre::::::::

References

lustre.org/

wiki.lustre.org/Lustre_2.12.3_Changelog

jira.whamcloud.com/browse/LU-12600

review.whamcloud.com/#/c/35867/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.016

Percentile

87.6%

JSON

Related for CVE-2019-20427