{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-33601", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "state": "PUBLISHED", "assignerShortName": "glibc", "dateReserved": "2024-04-24T20:35:08.340Z", "datePublished": "2024-05-06T19:22:07.763Z", "dateUpdated": "2024-08-02T02:36:04.342Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "glibc", "vendor": "The GNU C Library", "versions": [{"lessThan": "2.40", "status": "affected", "version": "2.15", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>nscd: netgroup cache may terminate daemon on memory allocation failure<br><br>The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or<br>xrealloc and these functions may terminate the process due to a memory<br>allocation failure resulting in a denial of service to the clients. The<br>flaw was introduced in glibc 2.15 when the cache was added to nscd.<br><br>This vulnerability is only present in the nscd binary.<br></div>"}], "value": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "CWE-617 Reachable Assertion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2024-05-06T19:22:07.763Z"}, "references": [{"url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0014/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}], "source": {"discovery": "UNKNOWN"}, "title": "nscd: netgroup cache may terminate daemon on memory allocation failure", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-33601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T17:26:01.322253Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*"], "vendor": "gnu", "product": "glibc", "versions": [{"status": "affected", "version": "2.15", "lessThan": "2.40", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:44:28.720Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:36:04.342Z"}, "title": "CVE Program Container", "references": [{"url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0014/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/5", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-33601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T17:26:01.322253Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*"], "vendor": "gnu", "product": "glibc", "versions": [{"status": "affected", "version": "2.15", "lessThan": "2.40", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-09T17:30:40.612Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "nscd: netgroup cache may terminate daemon on memory allocation failure", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.15", "lessThan": "2.40", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0014/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>nscd: netgroup cache may terminate daemon on memory allocation failure<br><br>The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or<br>xrealloc and these functions may terminate the process due to a memory<br>allocation failure resulting in a denial of service to the clients. The<br>flaw was introduced in glibc 2.15 when the cache was added to nscd.<br><br>This vulnerability is only present in the nscd binary.<br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617 Reachable Assertion"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2024-05-06T19:22:07.763Z"}}}, "cveMetadata": {"cveId": "CVE-2024-33601", "state": "PUBLISHED", "dateUpdated": "2024-05-06T19:22:07.763Z", "dateReserved": "2024-04-24T20:35:08.340Z", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "datePublished": "2024-05-06T19:22:07.763Z", "assignerShortName": "glibc"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n"}, {"lang": "es", "value": "nscd: la cach\u00e9 de netgroup puede terminar el daemon ante una falla en la asignaci\u00f3n de memoria La cach\u00e9 de netgroup del daemon de cach\u00e9 del servicio de nombres (nscd) usa xmalloc o xrealloc y estas funciones pueden terminar el proceso debido a una falla en la asignaci\u00f3n de memoria que resulta en una denegaci\u00f3n de servicio a los clientes. La falla se introdujo en glibc 2.15 cuando se agreg\u00f3 el cach\u00e9 a nscd. Esta vulnerabilidad s\u00f3lo est\u00e1 presente en el binario nscd."}], "id": "CVE-2024-33601", "lastModified": "2024-07-22T18:15:03.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-06T20:15:11.603", "references": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "http://www.openwall.com/lists/oss-security/2024/07/22/5"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://security.netapp.com/advisory/ntap-20240524-0014/"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007"}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3588", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "glibc-0:2.17-326.el7_9.3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-04T00:00:00Z"}, {"advisory": "RHSA-2024:3344", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "glibc-0:2.28-251.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3344", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "glibc-0:2.28-251.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3464", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "glibc-0:2.28-101.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-29T00:00:00Z"}, {"advisory": "RHSA-2024:3309", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "glibc-0:2.28-151.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3309", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "glibc-0:2.28-151.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3309", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "glibc-0:2.28-151.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:2799", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "glibc-0:2.28-189.10.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:3312", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "glibc-0:2.28-225.el8_8.11", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3339", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "glibc-0:2.34-100.el9_4.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3339", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "glibc-0:2.34-100.el9_4.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3423", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "glibc-0:2.34-28.el9_0.6", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:3411", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "glibc-0:2.34-60.el9_2.14", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:2799", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "glibc-0:2.28-189.10.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-operator-bundle:1.4.5-4", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-router-rhel9:2.4.3-4", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}, {"advisory": "RHSA-2024:4126", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.4.5-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-06-26T00:00:00Z"}], "bugzilla": {"description": "glibc: netgroup cache may terminate daemon on memory allocation failure", "id": "2277205", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277205"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-703", "details": ["nscd: netgroup cache may terminate daemon on memory allocation failure\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\nThis vulnerability is only present in the nscd binary.", "A flaw was found in the glibc netgroup cache. The netgroup cache uses xmalloc/xrealloc and may terminate the process due to a memory allocation failure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-33601", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-33601\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-33601"], "statement": "The flaw in the glibc netgroup cache, while concerning, is categorized as a low severity issue due to several factors. Firstly, the exploitation of this vulnerability requires specific conditions, such as a memory allocation failure within the netgroup cache, which may not occur frequently in typical usage scenarios. Additionally, the impact of such failures is limited to the termination of the affected process, rather than facilitating unauthorized access or data manipulation. Furthermore, the likelihood of successful exploitation and the potential for widespread harm are comparatively low, given the specific nature of the vulnerability and its constrained impact.\nThis issue affects the nscd RPM package and not the glibc RPM package itself. Affected components are tracked by their RPM source package, in this case, the nscd binary package is built from the glibc source package, hence the affected component is glibc.", "threat_severity": "Low"}