4.3

CVE-2014-4883

EPSS 0.11%
Veröffentlicht 28.11.2014 02:59:04
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cret@cert.org
CVE-Watchlists
Login
Unerledigt
Login

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lwip Project ≫ Lwip Version <= 1.4.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.271

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

http://git.savannah.gnu.org/cgit/lwip.git/commit/?id=9fb46e120655ac481b2af8f865d5ae56c39b831a

Patch

http://www.kb.cert.org/vuls/id/210620

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2014-4883

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-4883

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-4883

EUVD