{"containers": {"cna": {"affected": [{"product": "WavPack", "vendor": "WavPack", "versions": [{"status": "affected", "version": "5.1.0 and earlier [fixed: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b]"}]}], "descriptions": [{"lang": "en", "value": "WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-457", "description": "CWE-457: Use of Uninitialized Variable", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-15T12:06:12", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/dbry/WavPack/issues/66"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b"}, {"name": "USN-4062-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4062-1/"}, {"name": "FEDORA-2019-c72f5f6361", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/"}, {"name": "FEDORA-2019-8eeb8f9d3f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/"}, {"name": "FEDORA-2020-e55567b6be", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/"}, {"name": "FEDORA-2020-73274c9df4", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/"}, {"name": "[debian-lts-announce] 20210115 [SECURITY] [DLA 2525-1] wavpack security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010317", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WavPack", "version": {"version_data": [{"version_value": "5.1.0 and earlier [fixed: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b]"}]}}]}, "vendor_name": "WavPack"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-457: Use of Uninitialized Variable"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dbry/WavPack/issues/66", "refsource": "MISC", "url": "https://github.com/dbry/WavPack/issues/66"}, {"name": "https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b", "refsource": "MISC", "url": "https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b"}, {"name": "USN-4062-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4062-1/"}, {"name": "FEDORA-2019-c72f5f6361", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/"}, {"name": "FEDORA-2019-8eeb8f9d3f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/"}, {"name": "FEDORA-2020-e55567b6be", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/"}, {"name": "FEDORA-2020-73274c9df4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/"}, {"name": "[debian-lts-announce] 20210115 [SECURITY] [DLA 2525-1] wavpack security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.514Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbry/WavPack/issues/66"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b"}, {"name": "USN-4062-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4062-1/"}, {"name": "FEDORA-2019-c72f5f6361", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/"}, {"name": "FEDORA-2019-8eeb8f9d3f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/"}, {"name": "FEDORA-2020-e55567b6be", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/"}, {"name": "FEDORA-2020-73274c9df4", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/"}, {"name": "[debian-lts-announce] 20210115 [SECURITY] [DLA 2525-1] wavpack security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010317", "datePublished": "2019-07-11T19:24:40", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.514Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wavpack:wavpack:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5AF1FF6-17E5-429C-8280-8215E7010571", "versionEndIncluding": "5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b."}, {"lang": "es", "value": "WavPack versiones 5.1.0 y anteriores, esta afectado por: CWE-457: Uso de Variable No Inicializada. El impacto es: Flujo de control inesperado, bloqueos y fallo de segmentaci\u00f3n. El componente es: ParseCaffHeaderConfig (en el archivo caff.c:486). El vector de ataque es: archivo .wav malicioso. La versi\u00f3n corregida es: Despu\u00e9s del commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b."}], "id": "CVE-2019-1010317", "lastModified": "2023-11-07T03:02:20.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-11T20:15:12.227", "references": [{"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b"}, {"source": "josh@bress.net", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/dbry/WavPack/issues/66"}, {"source": "josh@bress.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"}, {"source": "josh@bress.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/"}, {"source": "josh@bress.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/"}, {"source": "josh@bress.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/"}, {"source": "josh@bress.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/"}, {"source": "josh@bress.net", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4062-1/"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-457"}], "source": "josh@bress.net", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:1581", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "wavpack-0:5.1.0-15.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}], "bugzilla": {"description": "wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS", "id": "1737747", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737747"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-20->CWE-665", "details": ["WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b."], "name": "CVE-2019-1010317", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "wavpack", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "wavpack", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2019-08-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-1010317\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1010317"], "statement": "This issue affects wavpack versions as shipped with Red Hat Enterprise Linux 8. The security impact for this flaw was calculated as 'Low' by the Red Hat Product Security Team. Previous Red Hat Enterprise Linux versions are not affected as wavpack shipped with it doesn't support CAF file format, which is needed to reach the code where the flaw resides at.", "threat_severity": "Low"}