CVE-2024-27099 Azure IoT Platform Device SDK Double Free Vulnerability

2024-02-2718:58:26

CWE-415

GitHub_M

www.cve.org

azure

iot

uamqp

library

double free

vulnerability

rce

update

submodule

commit

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

Percentile

9.0%

JSON

The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect AMQP_VALUE failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987.

CNA Affected

[
  {
    "vendor": "Azure",
    "product": "azure-uamqp-c",
    "versions": [
      {
        "version": "< 2023-2-08",
        "status": "affected"
      }
    ]
  }
]