Lucene search

[email protected]CVE-2019-6474

HistoryOct 16, 2019 - 6:15 p.m.

CVE-2019-6474

2019-10-1618:15:37

CWE-772

[email protected]

web.nvd.nist.gov

cve-2019-6474

kea server

lease storage

nvd

security vulnerability

6.1 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.1 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON

A missing check on incoming client requests can be exploited to cause a situation where the Kea server’s lease storage contains leases which are rejected as invalid when the server tries to load leases from storage on restart. If the number of such leases exceeds a hard-coded limit in the Kea code, a server trying to restart will conclude that there is a problem with its lease store and give up. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2

Affected configurations

NVD

Node

isckeaRange1.4.0–1.5.0

isckeaMatch1.6.0beta1

isckeaMatch1.6.0beta2

CPENameOperatorVersion
isc:keaisc keale1.5.0
isc:keaisc keaeq1.6.0

CPE	Name	Operator	Version
isc:kea	isc kea	le	1.5.0
isc:kea	isc kea	eq	1.6.0

CNA Affected

[
  {
    "product": "Kea",
    "vendor": "ISC",
    "versions": [
      {
        "status": "affected",
        "version": "1.4.0 to 1.5.0"
      },
      {
        "status": "affected",
        "version": "1.6.0-beta1"
      },
      {
        "status": "affected",
        "version": "1.6.0-beta2"
      }
    ]
  }
]