{"containers": {"cna": {"affected": [{"product": "libnbd", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "1.0.3"}]}], "descriptions": [{"lang": "en", "value": "Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-681", "description": "CWE-681", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-04T18:00:58", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842"}, {"tags": ["x_refsource_MISC"], "url": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-14842", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libnbd", "version": {"version_data": [{"version_value": "1.0.3"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution."}]}, "impact": {"cvss": [[{"vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-681"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842"}, {"name": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html", "refsource": "MISC", "url": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.105Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14842", "datePublished": "2019-11-26T15:01:26", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.105Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:libnbd:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C96C554-82A1-4038-A20E-0D4D4BA7EFDB", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution."}, {"lang": "es", "value": "Una respuesta estructurada es una funcionalidad del nuevo protocolo NBD que permite al servidor enviar una respuesta en fragmentos. Una comprobaci\u00f3n de l\u00edmites que se supon\u00eda que probar\u00eda las compensaciones de fragmentos m\u00e1s peque\u00f1as que al comienzo de la petici\u00f3n no funcion\u00f3 debido a la confusi\u00f3n de signed/unsigned. Si uno de estos fragmentos contiene un desplazamiento negativo, los datos bajo control del servidor son escritos en la memoria antes del b\u00fafer de lectura suministrado por el cliente. Si el b\u00fafer de lectura es localizado en la pila, esto permite modificar trivialmente la direcci\u00f3n de retorno de la pila desde la funci\u00f3n nbd_pread(), permitiendo la ejecuci\u00f3n de c\u00f3digo arbitrario bajo el control del servidor. Si el b\u00fafer se encuentra en la pila, entonces otros objetos de memoria antes de que el b\u00fafer pueda ser sobrescrito, lo que de nuevo conllevar\u00eda usualmente a la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2019-14842", "lastModified": "2022-11-30T21:52:27.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-26T16:15:11.963", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-681"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "libnbd: remote code execution vulnerability", "id": "1776860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1776860"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-681", "details": ["Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution.", "A bounds check vulnerability was found in libnbd's structured reply feature where the check was supposed to test for chunk offsets smaller than the beginning of the request but did not work because of signed/unsigned confusion. Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. If one of these chunks contains a negative offset, then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack, the return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution."], "name": "CVE-2019-14842", "public_date": "2019-10-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14842\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14842\nhttps://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"], "statement": "This vulnerability does not affect any package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.", "threat_severity": "Moderate", "upstream_fix": "libnbd 1.0.3"}