CVE-2021-26788 - OpenCVE

Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthenticated endpoint is sufficient to trigger the bug.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oryx-embedded	Cyclonetcp

Configuration 1 [-]

cpe:2.3:a:oryx-embedded:cyclonetcp:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Oryx-Embedded/CycloneTCP/commit/de5336016edbe1e90327d0ed1cba5c4e49114366?branch=de5336016edbe1e90327d0ed1cba5c4e49114366&diff=split

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-08T12:53:12

Updated: 2024-08-03T20:33:41.034Z

Reserved: 2021-02-05T00:00:00

Link: CVE-2021-26788

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-08T13:15:12.737

Modified: 2021-03-12T21:37:48.247

Link: CVE-2021-26788

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthenticated endpoint is sufficient to trigger the bug."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-08T12:53:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Oryx-Embedded/CycloneTCP/commit/de5336016edbe1e90327d0ed1cba5c4e49114366?branch=de5336016edbe1e90327d0ed1cba5c4e49114366&diff=split"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-26788", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthenticated endpoint is sufficient to trigger the bug."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Oryx-Embedded/CycloneTCP/commit/de5336016edbe1e90327d0ed1cba5c4e49114366?branch=de5336016edbe1e90327d0ed1cba5c4e49114366&diff=split", "refsource": "MISC", "url": "https://github.com/Oryx-Embedded/CycloneTCP/commit/de5336016edbe1e90327d0ed1cba5c4e49114366?branch=de5336016edbe1e90327d0ed1cba5c4e49114366&diff=split"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:33:41.034Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Oryx-Embedded/CycloneTCP/commit/de5336016edbe1e90327d0ed1cba5c4e49114366?branch=de5336016edbe1e90327d0ed1cba5c4e49114366&diff=split"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-26788", "datePublished": "2021-03-08T12:53:12", "dateReserved": "2021-02-05T00:00:00", "dateUpdated": "2024-08-03T20:33:41.034Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oryx-embedded:cyclonetcp:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9216DE7-8426-45F3-9FE8-A26DFD50C009", "versionEndIncluding": "2.0.0", "versionStartIncluding": "1.7.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthenticated endpoint is sufficient to trigger the bug."}, {"lang": "es", "value": "Oryx Embedded CycloneTCP versiones 1.7.6 hasta 2.0.0, corregido en versi\u00f3n 2.0.2, est\u00e1 afectado por una comprobaci\u00f3n incorrecta de la entrada, lo que puede causar una denegaci\u00f3n de servicio (DoS). Para explotar la vulnerabilidad, un atacante necesitar tener conectividad TCP con el sistema de destino. Recibir un paquete TCP dise\u00f1ado con fines malicioso desde un endpoint no autenticado es suficiente para desencadenar el bug"}], "id": "CVE-2021-26788", "lastModified": "2021-03-12T21:37:48.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-08T13:15:12.737", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Oryx-Embedded/CycloneTCP/commit/de5336016edbe1e90327d0ed1cba5c4e49114366?branch=de5336016edbe1e90327d0ed1cba5c4e49114366&diff=split"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}