Lucene search

GoogleOSV:BIT-LIBMAXMINDDB-2020-28241

HistoryMar 06, 2024 - 10:55 a.m.

BIT-libmaxminddb-2020-28241

2024-03-0610:55:16

Google

osv.dev

libmaxminddb

heap-based

buffer over-read

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

73.4%

JSON

libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.

CPENameOperatorVersion
libmaxminddblt1.4.3

CPE	Name	Operator	Version
	libmaxminddb	lt	1.4.3

References

github.com/maxmind/libmaxminddb/compare/1.4.2...1.4.3

github.com/maxmind/libmaxminddb/issues/236

github.com/maxmind/libmaxminddb/pull/237

lists.debian.org/debian-lts-announce/2020/11/msg00019.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WUK4UCOB5FJVK36E22IRLEYGKMUWGBG/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ELTOHZBPO6XVUVADP4DPZBNQCPTYOQBV/

security.gentoo.org/glsa/202011-15

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

73.4%

JSON

Related for OSV:BIT-LIBMAXMINDDB-2020-28241