{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-17362", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-05T01:40:15.198Z", "dateReserved": "2019-10-09T00:00:00", "datePublished": "2019-10-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-12-14T03:06:19.783626"}, "descriptions": [{"lang": "en", "value": "In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://vuldb.com/?id.142995"}, {"url": "https://github.com/libtom/libtomcrypt/issues/507"}, {"url": "https://github.com/libtom/libtomcrypt/pull/508"}, {"name": "[debian-lts-announce] 20191009 [SECURITY] [DLA 1951-1] libtomcrypt security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00010.html"}, {"name": "openSUSE-SU-2019:2454", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00020.html"}, {"name": "openSUSE-SU-2019:2514", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00041.html"}, {"name": "FEDORA-2023-1f0ac1260e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/"}, {"name": "FEDORA-2023-b4b9b38f23", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/"}, {"url": "https://vuldb.com/?id.142995", "tags": ["x_transferred"]}, {"url": "https://github.com/libtom/libtomcrypt/issues/507", "tags": ["x_transferred"]}, {"url": "https://github.com/libtom/libtomcrypt/pull/508", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20191009 [SECURITY] [DLA 1951-1] libtomcrypt security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00010.html"}, {"name": "openSUSE-SU-2019:2454", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00020.html"}, {"name": "openSUSE-SU-2019:2514", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00041.html"}, {"name": "FEDORA-2023-1f0ac1260e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/"}, {"name": "FEDORA-2023-b4b9b38f23", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:40:15.198Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libtom:libtomcrypt:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE63BB49-3ED2-405D-895A-B80D48C738C4", "versionEndIncluding": "1.18.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data."}, {"lang": "es", "value": "En LibTomCrypt versiones hasta 1.18.2, la funci\u00f3n der_decode_utf8_string (en el archivo der_decode_utf8_string.c) no detecta apropiadamente determinadas secuencias UTF-8 no v\u00e1lidas. Esto permite a atacantes dependiendo del contexto causar una denegaci\u00f3n de servicio (lectura y bloqueo fuera de l\u00edmites) o leer informaci\u00f3n desde otras ubicaciones de memoria por medio de datos codificados con DER cuidadosamente dise\u00f1ados."}], "id": "CVE-2019-17362", "lastModified": "2023-12-14T03:15:36.103", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-09T01:15:10.130", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00020.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00041.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/libtom/libtomcrypt/issues/507"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/libtom/libtomcrypt/pull/508"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00010.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://vuldb.com/?id.142995"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c", "id": "1775212", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775212"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data."], "name": "CVE-2019-17362", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "libtomcrypt", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:ansible_engine:2", "fix_state": "Not affected", "package_name": "libtomcrypt", "product_name": "Red Hat Ansible Engine 2"}], "public_date": "2019-08-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-17362\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17362"], "statement": "Red Hat CloudForms 5.9, 5.10 and 5.11 are not affected as it does not ship anymore libtomcrypt library. Only CloudForms 5.8 which is EOL delivers libtomcrypt library.\nRed Hat Ansible Engine 2.8 and 2.9 are not affected as it does not ship libtomcrypt library anymore and Ansible Engine 2.7 had deprecate it.", "threat_severity": "Moderate"}