6.5 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.8%
An issue was discovered in bluetoothd in BlueZ through 5.48. The
vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP
implementation. By crafting a malicious CSTATE, it is possible to trick the
server into returning more bytes than the buffer actually holds, resulting
in leaking arbitrary heap data. The root cause can be found in the function
service_attr_req of sdpd-request.c. The server does not check whether the
CSTATE data is the same in consecutive requests, and instead simply trusts
that it is the same.
Author | Note |
---|---|
mdeslaur | This was fixed in bionic by CVE-2021-41229-pre1.patch |
6.5 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.8%