CVE-2021-21404

EPSS 0.92%
Veröffentlicht 06.04.2021 20:15:13
Zuletzt bearbeitet 21.11.2024 05:48:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Syncthing ≫ Syncthing Version < 1.15.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.92%	0.752

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97

Patch

Third Party Advisory

https://github.com/syncthing/syncthing/releases/tag/v1.15.0

Third Party Advisory

Release Notes

https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h

Third Party Advisory

https://pkg.go.dev/github.com/syncthing/syncthing

Third Party Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2021-21404