{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-33600", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "state": "PUBLISHED", "assignerShortName": "glibc", "dateReserved": "2024-04-24T20:35:08.340Z", "datePublished": "2024-05-06T19:22:02.726Z", "dateUpdated": "2024-08-02T02:36:04.168Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "glibc", "vendor": "The GNU C Library", "versions": [{"lessThan": "2.40", "status": "affected", "version": "2.15", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>nscd: Null pointer crashes after notfound response<br><br>If the Name Service Cache Daemon's (nscd) cache fails to add a not-found<br>netgroup response to the cache, the client request can result in a null<br>pointer dereference. This flaw was introduced in glibc 2.15 when the<br>cache was added to nscd.<br><br>This vulnerability is only present in the nscd binary.<br></div>"}], "value": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n"}], "impacts": [{"capecId": "CAPEC-129", "descriptions": [{"lang": "en", "value": "CAPEC-129 Pointer Manipulation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2024-05-06T19:22:02.726Z"}, "references": [{"url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0013/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}], "source": {"discovery": "UNKNOWN"}, "title": "nscd: Null pointer crashes after notfound response", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T19:13:16.760599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:44:18.891Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:36:04.168Z"}, "title": "CVE Program Container", "references": [{"url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0013/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/5", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T19:13:16.760599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T19:13:22.262Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "nscd: Null pointer crashes after notfound response", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-129", "descriptions": [{"lang": "en", "value": "CAPEC-129 Pointer Manipulation"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.15", "lessThan": "2.40", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0013/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>nscd: Null pointer crashes after notfound response<br><br>If the Name Service Cache Daemon's (nscd) cache fails to add a not-found<br>netgroup response to the cache, the client request can result in a null<br>pointer dereference. This flaw was introduced in glibc 2.15 when the<br>cache was added to nscd.<br><br>This vulnerability is only present in the nscd binary.<br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2024-05-06T19:22:02.726Z"}}}, "cveMetadata": {"cveId": "CVE-2024-33600", "state": "PUBLISHED", "dateUpdated": "2024-05-06T19:22:02.726Z", "dateReserved": "2024-04-24T20:35:08.340Z", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "datePublished": "2024-05-06T19:22:02.726Z", "assignerShortName": "glibc"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n"}, {"lang": "es", "value": "nscd: el puntero nulo falla despu\u00e9s de una respuesta no encontrada Si el cach\u00e9 del daemon de cach\u00e9 del servicio de nombres (nscd) no logra agregar una respuesta de grupo de red no encontrado al cach\u00e9, la solicitud del cliente puede resultar en una desreferencia del puntero nulo. Esta falla se introdujo en glibc 2.15 cuando se agreg\u00f3 el cach\u00e9 a nscd. Esta vulnerabilidad s\u00f3lo est\u00e1 presente en el binario nscd."}], "id": "CVE-2024-33600", "lastModified": "2024-11-21T09:17:13.973", "metrics": {}, "published": "2024-05-06T20:15:11.523", "references": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://security.netapp.com/advisory/ntap-20240524-0013/"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240524-0013/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006"}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3588", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "glibc-0:2.17-326.el7_9.3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-04T00:00:00Z"}, {"advisory": "RHSA-2024:3344", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "glibc-0:2.28-251.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3344", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "glibc-0:2.28-251.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3464", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "glibc-0:2.28-101.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-29T00:00:00Z"}, {"advisory": "RHSA-2024:3309", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "glibc-0:2.28-151.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3309", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "glibc-0:2.28-151.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3309", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "glibc-0:2.28-151.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:2799", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "glibc-0:2.28-189.10.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:3312", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "glibc-0:2.28-225.el8_8.11", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3339", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "glibc-0:2.34-100.el9_4.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3339", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "glibc-0:2.34-100.el9_4.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3423", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "glibc-0:2.34-28.el9_0.6", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:3411", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "glibc-0:2.34-60.el9_2.14", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:2799", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "glibc-0:2.28-189.10.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-operator-bundle:1.4.5-4", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-router-rhel9:2.4.3-4", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}], "bugzilla": {"description": "glibc: null pointer dereferences after failed netgroup cache insertion", "id": "2277204", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277204"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-476", "details": ["nscd: Null pointer crashes after notfound response\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\nThis vulnerability is only present in the nscd binary.", "A flaw was found in the glibc netgroup cache. After a failed cache insertion, addgetnetgrentX tries to send the non-existing response after the not-found header. This can lead to a null pointer dereference that causes a crash or exit."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-33600", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-33600\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-33600"], "statement": "The flaw identified in the glibc netgroup cache constitutes a moderate severity issue due to its potential to trigger null pointer dereferences, leading to program crashes or exits. While null pointer dereferences can cause disruptions to system operations and possibly result in denial-of-service conditions, their impact is limited primarily to the affected process or application instance. However, the risk of exploitation may vary depending on the context of system usage. Systems that heavily rely on netgroup functionality may be more susceptible to exploitation, particularly if malicious actors can manipulate network traffic to trigger the vulnerability.\nThis issue affects the nscd RPM package and not the glibc RPM package itself. Affected components are tracked by their RPM source package, in this case, the nscd binary package is built from the glibc source package, hence the affected component is glibc.", "threat_severity": "Moderate"}