{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis()."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-17T20:06:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "USN-3569-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3569-1/"}, {"name": "DSA-4113", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4113"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.xiph.org/xiph/vorbis/issues/2329"}, {"name": "[debian-lts-announce] 20180430 [SECURITY] [DLA 1368-1] libvorbis security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html"}, {"name": "[debian-lts-announce] 20191217 [SECURITY] [DLA 2039-1] libvorbis security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-14633", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis()."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-3569-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3569-1/"}, {"name": "DSA-4113", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4113"}, {"name": "https://gitlab.xiph.org/xiph/vorbis/issues/2329", "refsource": "MISC", "url": "https://gitlab.xiph.org/xiph/vorbis/issues/2329"}, {"name": "[debian-lts-announce] 20180430 [SECURITY] [DLA 1368-1] libvorbis security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html"}, {"name": "[debian-lts-announce] 20191217 [SECURITY] [DLA 2039-1] libvorbis security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:34:40.131Z"}, "title": "CVE Program Container", "references": [{"name": "USN-3569-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3569-1/"}, {"name": "DSA-4113", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4113"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.xiph.org/xiph/vorbis/issues/2329"}, {"name": "[debian-lts-announce] 20180430 [SECURITY] [DLA 1368-1] libvorbis security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html"}, {"name": "[debian-lts-announce] 20191217 [SECURITY] [DLA 2039-1] libvorbis security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-14633", "datePublished": "2017-09-21T07:00:00", "dateReserved": "2017-09-21T00:00:00", "dateUpdated": "2024-08-05T19:34:40.131Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xiph.org:libvorbis:1.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "28797143-02BB-4A25-BA9D-E5220F13011F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis()."}, {"lang": "es", "value": "En Xiph.Org libvorbis 1.3.5, existe una vulnerabilidad de lectura de array fuera de l\u00edmites en la funci\u00f3n mapping0_forward() en mapping0.c, lo que puede provocar una denegaci\u00f3n de servicio cuando se opera con un archivo de audio manipulado con vorbis_analysis()."}], "id": "CVE-2017-14633", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-21T07:29:00.423", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://gitlab.xiph.org/xiph/vorbis/issues/2329"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3569-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4113"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://gitlab.xiph.org/xiph/vorbis/issues/2329"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3569-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4113"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "libvorbis: Out-of-bounds array read in the function mapping0_forward()", "id": "1499959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1499959"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis().", "An out-of-bounds read flaw was found in the way libvorbis handled processing of Ogg Vorbis format files. This flaw could potentially be used to crash an application using libvorbis by tricking the application into processing specially crafted files."], "name": "CVE-2017-14633", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libvorbis", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "libvorbis", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2017-09-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-14633\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-14633"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}