CVE-2020-5234 - OpenCVE

MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:S/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Messagepack	Messagepack

Configuration 1 [-]

OR	cpe:2.3:a:messagepack:messagepack::::::c\#::*
	cpe:2.3:a:messagepack:messagepack::::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.94:alpha::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.110:alpha::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.119:beta::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.123:beta::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.204:beta::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.270:rc::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.299:rc::::c\#::*

No data.

References

Link	Providers
https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02
https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007
https://github.com/neuecc/MessagePack-CSharp/issues/810
https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-31T17:50:14

Updated: 2024-08-04T08:22:09.077Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5234

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-31T18:15:11.860

Modified: 2020-02-24T23:15:13.517

Link: CVE-2020-5234

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MessagePack", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}, {"product": "MessagePack.ImmutableCollection", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}, {"product": "MessagePack.ReactiveProperty", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}, {"product": "MessagePack.UnityShims", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}], "descriptions": [{"lang": "en", "value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-24T22:55:06", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}], "source": {"advisory": "GHSA-7q36-4xx7-xcxf", "discovery": "UNKNOWN"}, "title": "Untrusted data can lead to DoS attack in MessagePack for C# and Unity", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5234", "STATE": "PUBLIC", "TITLE": "Untrusted data can lead to DoS attack in MessagePack for C# and Unity"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MessagePack", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}, {"product_name": "MessagePack.ImmutableCollection", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}, {"product_name": "MessagePack.ReactiveProperty", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}, {"product_name": "MessagePack.UnityShims", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}]}, "vendor_name": "neuecc"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-121: Stack-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf", "refsource": "CONFIRM", "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}, {"name": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02", "refsource": "MISC", "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"name": "https://github.com/neuecc/MessagePack-CSharp/issues/810", "refsource": "MISC", "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"name": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007", "refsource": "MISC", "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}]}, "source": {"advisory": "GHSA-7q36-4xx7-xcxf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.077Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5234", "datePublished": "2020-01-31T17:50:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.077Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "matchCriteriaId": "6E3E3D7A-9BC4-4387-9EBD-EE1DEE62266D", "versionEndExcluding": "1.9.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "matchCriteriaId": "F24DBCF3-4F9D-4409-9343-7B258B4F1B3F", "versionEndExcluding": "2.1.80", "versionStartIncluding": "2.0.323", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.94:alpha:*:*:*:c\\#:*:*", "matchCriteriaId": "5507008B-B8F8-4147-8E65-1481E479ABE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.110:alpha:*:*:*:c\\#:*:*", "matchCriteriaId": "37BBAB86-0E12-4B68-A325-C168F7BB2C1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.119:beta:*:*:*:c\\#:*:*", "matchCriteriaId": "C1D65411-111F-4243-AFC7-F561CED839B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.123:beta:*:*:*:c\\#:*:*", "matchCriteriaId": "D61D5CEA-5EB9-4C11-B379-604D8DE9F368", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.204:beta:*:*:*:c\\#:*:*", "matchCriteriaId": "129F03B4-C739-4EE9-ADCA-D9DC9337101E", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.270:rc:*:*:*:c\\#:*:*", "matchCriteriaId": "C6BB270F-6012-4C07-A070-E1F13048A439", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.299:rc:*:*:*:c\\#:*:*", "matchCriteriaId": "CB524CF3-98FF-41DF-9C44-553ED740152D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."}, {"lang": "es", "value": "MessagePack para C # y Unity anterior a la versi\u00f3n 1.9.11 y 2.1.90 tiene una vulnerabilidad en la que los datos no seguros pueden provocar un ataque DoS debido a colisiones hash y desbordamiento de pila. Revise el Aviso de seguridad de GitHub vinculado para obtener m\u00e1s informaci\u00f3n y pasos de reparaci\u00f3n."}], "id": "CVE-2020-5234", "lastModified": "2020-02-24T23:15:13.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-31T18:15:11.860", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"source": "security-advisories@github.com", "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}, {"source": "security-advisories@github.com", "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}]}