CVE-2023-32665 - OpenCVE

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnome	Glib
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
glib2-0:2.68.4-11.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6631	2023-11-07T00:00:00Z
mingw-glib2-0:2.78.0-1.el9	cpe:/a:redhat:enterprise_linux:9::crb	RHSA-2024:2528	2024-04-30T00:00:00Z
glib2-0:2.68.4-11.el9	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:6631	2023-11-07T00:00:00Z

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-32665
https://bugzilla.redhat.com/show_bug.cgi?id=2211827
https://gitlab.gnome.org/GNOME/glib/-/issues/2121
https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html
https://nvd.nist.gov/vuln/detail/CVE-2023-32665
https://security.gentoo.org/glsa/202311-18
https://security.netapp.com/advisory/ntap-20240426-0006/
https://www.cve.org/CVERecord?id=CVE-2023-32665

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-14T19:03:58.229Z

Updated: 2024-08-02T15:25:36.651Z

Reserved: 2023-05-30T11:48:42.074Z

Link: CVE-2023-32665

Vulnrichment

Updated: 2024-08-02T15:25:36.651Z

NVD

Status : Modified

Published: 2023-09-14T20:15:09.883

Modified: 2024-04-26T09:15:07.333

Link: CVE-2023-32665

Redhat

Severity : Low

Publid Date: 2022-12-14T00:00:00Z

Links: CVE-2023-32665 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32665", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-05-30T11:48:42.074Z", "datePublished": "2023-09-14T19:03:58.229Z", "dateUpdated": "2024-08-02T15:25:36.651Z"}, "containers": {"cna": {"title": "Gvariant deserialisation does not match spec for non-normal data", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service."}], "affected": [{"product": "glib2", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"product": "Fedora 38", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib2", "defaultStatus": "affected"}, {"product": "Extra Packages for Enterprise Linux", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib", "defaultStatus": "affected"}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib2", "defaultStatus": "affected"}, {"product": "Fedora 37", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib2", "defaultStatus": "affected"}, {"product": "Fedora 38", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "mingw-glib2", "defaultStatus": "affected"}, {"product": "Fedora 37", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "mingw-glib2", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-32665", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211827", "name": "RHBZ#2211827", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2121"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"}, {"url": "https://security.gentoo.org/glsa/202311-18"}, {"url": "https://security.netapp.com/advisory/ntap-20240426-0006/"}], "datePublic": "2022-12-14T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2023-05-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2022-12-14T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Upstream acknowledges William Manley as the original reporter."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-14T19:03:58.229Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2023-11-27T17:04:41.563399Z", "id": "CVE-2023-32665", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T19:16:35.238Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:36.651Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-32665", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211827", "name": "RHBZ#2211827", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2121", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-18", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240426-0006/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-32665", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211827", "name": "RHBZ#2211827", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2121", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-18", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240426-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:36.651Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-32665", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2023-11-27T17:04:41.563399Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T19:16:31.841Z"}}], "cna": {"title": "Gvariant deserialisation does not match spec for non-normal data", "credits": [{"lang": "en", "value": "Upstream acknowledges William Manley as the original reporter."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "glib2", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "glib2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "glib2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "glib2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "glib2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Fedora 38", "packageName": "glib2", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Extra Packages for Enterprise Linux", "packageName": "glib", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Fedora", "packageName": "glib2", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Fedora 37", "packageName": "glib2", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Fedora 38", "packageName": "mingw-glib2", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Fedora 37", "packageName": "mingw-glib2", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-05-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2022-12-14T00:00:00+00:00", "value": "Made public."}], "datePublic": "2022-12-14T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-32665", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211827", "name": "RHBZ#2211827", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2121"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"}, {"url": "https://security.gentoo.org/glsa/202311-18"}, {"url": "https://security.netapp.com/advisory/ntap-20240426-0006/"}], "descriptions": [{"lang": "en", "value": "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-14T19:03:58.229Z"}, "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2023-32665", "state": "PUBLISHED", "dateUpdated": "2024-08-02T15:25:36.651Z", "dateReserved": "2023-05-30T11:48:42.074Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-09-14T19:03:58.229Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DF67CEA-BB12-4E90-9788-1AD9EF0FCB38", "versionEndExcluding": "2.74.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en GLib. La deserializaci\u00f3n de GVariant es vulnerable a un problema de explosi\u00f3n exponencial en el que un GVariant manipulado puede provocar un procesamiento excesivo y provocar una denegaci\u00f3n de servicio."}], "id": "CVE-2023-32665", "lastModified": "2024-04-26T09:15:07.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-09-14T20:15:09.883", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-32665"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211827"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2121"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202311-18"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20240426-0006/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Upstream acknowledges William Manley as the original reporter.", "affected_release": [{"advisory": "RHSA-2023:6631", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "glib2-0:2.68.4-11.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:2528", "cpe": "cpe:/a:redhat:enterprise_linux:9::crb", "package": "mingw-glib2-0:2.78.0-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2023:6631", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "glib2-0:2.68.4-11.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "glib: GVariant deserialisation does not match spec for non-normal data", "id": "2211827", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211827"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.", "A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service."], "name": "CVE-2023-32665", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2022-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-32665\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32665\nhttps://gitlab.gnome.org/GNOME/glib/-/issues/2121"], "statement": "This vulnerability allows for a denial of service attack to be performed against applications that process untrusted GVariant input, compromising application availability by consuming excessive processing time or utilizing a large quantity of memory. The most likely threat is from a local user, which may be possible depending on the configuration of the service and the format of parameters that it expects. While a remote attack is possible if the application is configured to read GVariants over a network connection, this is not the default configuration which makes the likelihood low. Because the most widely available attack vector is local and the consequences are limited to denial of service, Red Hat Product Security rates the impact as Low.", "threat_severity": "Low"}