{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-17T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T18:57:01.000Z", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.talosintelligence.com/reports/TALOS-2016-0177/"}, {"name": "94411", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94411"}, {"name": "GLSA-201701-13", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-13"}, {"name": "DSA-3727", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3727"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2016-4331", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.talosintelligence.com/reports/TALOS-2016-0177/", "refsource": "MISC", "url": "http://www.talosintelligence.com/reports/TALOS-2016-0177/"}, {"name": "94411", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94411"}, {"name": "GLSA-201701-13", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-13"}, {"name": "DSA-3727", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3727"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:25:14.505Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.talosintelligence.com/reports/TALOS-2016-0177/"}, {"name": "94411", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94411"}, {"name": "GLSA-201701-13", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201701-13"}, {"name": "DSA-3727", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3727"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2016-4331", "datePublished": "2016-11-18T20:00:00.000Z", "dateReserved": "2016-04-27T00:00:00.000Z", "dateUpdated": "2024-08-06T00:25:14.505Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hdfgroup:hdf5:1.8.16:*:*:*:*:*:*:*", "matchCriteriaId": "917A1D77-B6E2-48F6-B9FF-04A1D1646529", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution."}, {"lang": "es", "value": "Cuando se descodifican datos fuera de un conjunto de datos codificados con la decodificaci\u00f3n H5Z_NBIT, la librer\u00eda HDF5 1.8.16 fallar\u00e1 al asegurar que la precisi\u00f3n est\u00e1 dentro de los l\u00edmites del tama\u00f1o que conduce a la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2016-4331", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-11-18T20:59:02.240", "references": [{"source": "cret@cert.org", "url": "http://www.debian.org/security/2016/dsa-3727"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/bid/94411"}, {"source": "cret@cert.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "http://www.talosintelligence.com/reports/TALOS-2016-0177/"}, {"source": "cret@cert.org", "url": "https://security.gentoo.org/glsa/201701-13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/94411"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "http://www.talosintelligence.com/reports/TALOS-2016-0177/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201701-13"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "hdf5: H5Z_NBIT heap buffer overflow", "id": "1397704", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1397704"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "draft"}, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution.", "Multiple heap overflows were found in HDF5. These issues could be used to gain code execution in any program that exposes the affected functions to untrusted input. While HDF5 is shipped as a dependency, no Red Hat products are known to expose these issues in any supported use case at this time."], "name": "CVE-2016-4331", "package_state": [{"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Will not fix", "impact": "low", "package_name": "hdf5", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "hdf5", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "impact": "low", "package_name": "hdf5", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Not affected", "impact": "low", "package_name": "hdf5", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "impact": "low", "package_name": "hdf5", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "impact": "low", "package_name": "hdf5", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-11-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-4331\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4331\nhttp://www.talosintelligence.com/reports/TALOS-2016-0177/"], "threat_severity": "Important"}

{}