CVE-2020-5235 - OpenCVE

There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling `free()` on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nanopb Project	Nanopb

Configuration 1 [-]

OR	cpe:2.3:a:nanopb_project:nanopb::::::::
	cpe:2.3:a:nanopb_project:nanopb::::::::
	cpe:2.3:a:nanopb_project:nanopb::::::::

No data.

References

Link	Providers
https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856
https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3
https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2
https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-02-04T03:00:18

Updated: 2024-08-04T08:22:09.040Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5235

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-02-04T03:15:10.657

Modified: 2020-02-06T18:51:56.517

Link: CVE-2020-5235

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Nanopb", "vendor": "nanopb", "versions": [{"status": "affected", "version": "< 0.2.9.4"}, {"status": "affected", "version": ">= 0.3.0, < 0.3.9.5"}, {"status": "affected", "version": ">= 0.4.0, < 0.4.1"}]}], "descriptions": [{"lang": "en", "value": "There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling `free()` on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-04T03:00:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"}], "source": {"advisory": "GHSA-gcx3-7m76-287p", "discovery": "UNKNOWN"}, "title": "Out-of-memory condition in Nanopb is potentially exploitable", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5235", "STATE": "PUBLIC", "TITLE": "Out-of-memory condition in Nanopb is potentially exploitable"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Nanopb", "version": {"version_data": [{"version_value": "< 0.2.9.4"}, {"version_value": ">= 0.3.0, < 0.3.9.5"}, {"version_value": ">= 0.4.0, < 0.4.1"}]}}]}, "vendor_name": "nanopb"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling `free()` on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-125: Out-of-bounds Read"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p", "refsource": "CONFIRM", "url": "https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p"}, {"name": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856", "refsource": "MISC", "url": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"}, {"name": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3", "refsource": "MISC", "url": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"}, {"name": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2", "refsource": "MISC", "url": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"}]}, "source": {"advisory": "GHSA-gcx3-7m76-287p", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.040Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5235", "datePublished": "2020-02-04T03:00:18", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.040Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C0C3188-DACC-4BFC-88EE-17A3EA6DECB4", "versionEndExcluding": "0.2.9.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AC327EC-CA02-408D-B00C-1A23ACB339F4", "versionEndExcluding": "0.3.9.5", "versionStartIncluding": "0.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F47A79C-0D54-439F-ADE6-BB093268FAA3", "versionEndExcluding": "0.4.1", "versionStartIncluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling `free()` on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4."}, {"lang": "es", "value": "Se presenta una condici\u00f3n de falta de memoria explotable potencialmente en Nanopb versiones anteriores a 0.4.1, 0.3.9.5 y 0.2.9.4. Cuando se compila nanopb con PB_ENABLE_MALLOC, el mensaje que va a ser decodificado contiene una cadena repetida, campo bytes o message y la funci\u00f3n realloc() se queda sin memoria cuando se expande la matriz, nanopb puede terminar llamando a \"free()\" en un valor de puntero que proviene de una memoria no inicializada. Dependiendo de la plataforma, esto puede resultar en un bloqueo o una mayor corrupci\u00f3n de la memoria, que puede ser explotable en algunos casos. Este problema es corregido en las versiones nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4."}], "id": "CVE-2020-5235", "lastModified": "2020-02-06T18:51:56.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-02-04T03:15:10.657", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}