CVE-2020-5234 Untrusted data can lead to DoS attack in MessagePack for C# and Unity

2020-01-3117:50:14

CWE-121

GitHub_M

www.cve.org

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

0.01 Low

EPSS

Percentile

83.9%

JSON

MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.

CNA Affected

[
  {
    "product": "MessagePack",
    "vendor": "neuecc",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.9.11"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.1.90"
      }
    ]
  },
  {
    "product": "MessagePack.ImmutableCollection",
    "vendor": "neuecc",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.9.11"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.1.90"
      }
    ]
  },
  {
    "product": "MessagePack.ReactiveProperty",
    "vendor": "neuecc",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.9.11"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.1.90"
      }
    ]
  },
  {
    "product": "MessagePack.UnityShims",
    "vendor": "neuecc",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.9.11"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.1.90"
      }
    ]
  }
]