{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5371", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2023-10-04T03:01:36.569Z", "datePublished": "2023-10-04T16:01:48.187Z", "dateUpdated": "2024-08-29T15:04:51.442Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Wireshark", "vendor": "Wireshark Foundation", "versions": [{"lessThan": "4.0.9", "status": "affected", "version": "4.0.0", "versionType": "semver"}, {"lessThan": "3.6.17", "status": "affected", "version": "3.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-08-29T15:04:51.442Z"}, "references": [{"url": "https://www.wireshark.org/security/wnpa-sec-2023-27.html"}, {"name": "GitLab Issue #19322", "tags": ["issue-tracking"], "url": "https://gitlab.com/wireshark/wireshark/-/issues/19322"}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.9, 3.6.17 or above."}], "title": "Memory Allocation with Excessive Size Value in Wireshark"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:43.272Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wireshark.org/security/wnpa-sec-2023-27.html", "tags": ["x_transferred"]}, {"url": "https://gitlab.com/wireshark/wireshark/-/issues/19322", "name": "GitLab Issue #19322", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202402-09", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34DBP5P2RHQ7XUABPANYYMOGV5KS6VEP/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MADSCHKZSCKQ5NLIX3UMOIJD2JZ65L4V/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2D8B132-2CA2-4CC8-8268-EBDC6FC91A86", "versionEndExcluding": "3.6.17", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "matchCriteriaId": "1681464F-3F72-46F1-B81E-C1C4B34FBE08", "versionEndExcluding": "4.0.9", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file"}, {"lang": "es", "value": "La p\u00e9rdida de memoria del disector RTPS en Wireshark 4.0.0 a 4.0.8 y 3.6.0 a 3.6.16 permite la denegaci\u00f3n de servicio mediante inyecci\u00f3n de paquetes o archivo de captura manipulado."}], "id": "CVE-2023-5371", "lastModified": "2024-08-29T15:15:18.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2023-10-04T17:15:10.437", "references": [{"source": "cve@gitlab.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.com/wireshark/wireshark/-/issues/19322"}, {"source": "cve@gitlab.com", "tags": ["Vendor Advisory"], "url": "https://www.wireshark.org/security/wnpa-sec-2023-27.html"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-789"}], "source": "cve@gitlab.com", "type": "Secondary"}]}

{"bugzilla": {"description": "wireshark: RTPS dissector memory leak", "id": "2250146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250146"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file", "A memory leak flaw was found in Wireshark's RTPS dissector. This issue may cause an application crash via packet injection or crafted capture file."], "name": "CVE-2023-5371", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "wireshark", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "wireshark", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "wireshark", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "wireshark", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5371\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5371\nhttps://gitlab.com/wireshark/wireshark/-/issues/19322\nhttps://www.wireshark.org/security/wnpa-sec-2023-27.html"], "statement": "Default memory protections in Red Hat Enterprise Linux should prevent this issue from causing a higher impact than an application crash in the user context. Therefore, the severity of this flaw is low.", "threat_severity": "Low", "upstream_fix": "wireshark 4.0.9, wireshark 3.6.17"}