8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.005 Low
EPSS
Percentile
75.9%
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There
is an out of bounds read in the function
cv::predictOrdered<cv::HaarEvaluator> in
modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
Author | Note |
---|---|
ccdm94 | in xenial and earlier, it is necessary to backport the fix for this CVE. However, changes in the code that have occurred since the release of versions available in xenial and earlier cause this backport to be quite intrusive. To backport and properly apply the patch, it would be necessary to alter library functions that are exported, meaning that it would be necessary to alter their interfaces, which could end up causing regressions in software that uses the opencv library to operate. It also seems like a backported version of the patch does not completely fix the vulnerability, with the POC file causing a similar crash, even after the fix is applied. |
github.com/opencv/opencv/compare/33b765d...4a7ca5a
github.com/opencv/opencv/compare/371bba8...ddbd10c
github.com/opencv/opencv/issues/15125
launchpad.net/bugs/cve/CVE-2019-14491
nvd.nist.gov/vuln/detail/CVE-2019-14491
security-tracker.debian.org/tracker/CVE-2019-14491
ubuntu.com/security/notices/USN-4818-1
www.cve.org/CVERecord?id=CVE-2019-14491
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.005 Low
EPSS
Percentile
75.9%