CVE-2020-26243

Exploit

EPSS 2.61%
Veröffentlicht 25.11.2020 17:15:12
Zuletzt bearbeitet 21.11.2024 05:19:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Memory leak in nanopb

Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nanopb Project ≫ Nanopb Version < 0.3.9.7

Nanopb Project ≫ Nanopb Version >= 0.4.0 < 0.4.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.61%	0.834

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt

Third Party Advisory

Release Notes

https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c

Patch

Third Party Advisory

https://github.com/nanopb/nanopb/issues/615

Patch

Third Party Advisory

Exploit

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-26243

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-26243

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-26243

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-26243