CVE-2024-26134

Exploit

EPSS 0.81%
Published 19.02.2024 23:15:07
Last modified 02.01.2025 14:18:48
Source security-advisories@github.com
Teams watchlist Login
Open Login

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Agronholm ≫ Cbor2 SwPlatformpython Version >= 5.5.1 < 5.6.2

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

Fedoraproject ≫ Fedora Version40

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.81%	0.729

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Product

https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df

Patch

https://github.com/agronholm/cbor2/pull/204

Issue Tracking

https://github.com/agronholm/cbor2/releases/tag/5.6.2

Release Notes

https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m

Vendor Advisory

Exploit

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/