ROSA LABROSA-SA-2021-1869Advisory ROSA-SA-2021-1869
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
79.1%
Software: libevent 2.0.21
OS: Cobalt 7.9
CVE-ID: CVE-2014-6272
CVE-Crit: MEDIUM
CVE-DESC: Multiple integer overflows in the evbuffer API in Libevent 1.4.x through 1.4.15, 2.0.x through 2.0.22, and 2.1.x through 2.1.The 5-beta allow context-aware attackers to cause a denial of service or possibly have other undefined impact via “insanely large inputs” to (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function that triggers a heap-based buffer overflow or infinite loop. NOTE: this identifier was SPLIT for ADT3 due to different affected versions. See CVE-2015-6525 for features that are only affected in version 2.0 and later.
CVE-STATUS: Default
CVE-REV: Default
CVE-ID: CVE-2015-6525
CVE-Crit: MEDIUM
CVE-DESC: multiple integer overflows in the evbuffer API in Libevent 2.0.x through 2.0.22 and 2.1.x through 2.1.The 5-beta allows context-sensitive attackers to cause a denial of service or possibly other undefined impact via “insanely large inputs” for (1) evbuffer_add, (2) evbuffer_prepend, (3) evbuffer_expand, (4) exbuffer_reserve_space, or (5) evbuffer_read functions that trigger a heap-based buffer overflow or infinite loop. NOTE: this identifier was SPLIT from CVE-2014-6272 for ADT3 due to different affected versions.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-10195
CVE-Crit: CRITICAL
CVE-DESC: The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have undefined impact using vectors that include the label_len variable, which triggers a stack read outside the valid range.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-10196
CVE-Crit: HIGH
CVE-DESC: Stack-based buffer overflow in evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation error) using vectors containing a long bracketed string in the ip_as_string argument.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-10197
CVE-Crit: HIGH
CVE-DESC: The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (read out of range) via an empty hostname.
CVE-STATUS: default
CVE-REV: default
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
79.1%