Redhat.comRH:CVE-2019-14850CVE-2019-14850
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
42.0%
A denial of service vulnerability was discovered in nbdkit. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
Mitigation
This attack is only possible if nbdkit is configured with a plugin that does a lot of work in its initial .open() callback. Some examples that do a lot of work are nbdkit-ssh-plugin and nbdkit-guestfs-plugin. The nbdkit-memory-plugin is an example that does very little work, and thus is not subject to this vulnerability.
Only attackers that can connect to the nbdkit service can exploit this vulnerability. If nbdkit is not exposed over TCP (eg, nbdkit -U), or is bound only to a private network interface, or is protected by firewall rules, the attack surface is correspondingly limited.
Related
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
42.0%