admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2021-32795 for GHSA-5v34-4prm-9474

Browse Source
This commit is contained in:
Jonathan Moroney 2021-07-26 12:20:05 -07:00
parent 55c5a1a8d4
commit 690aea4544
No known key found for this signature in database
GPG Key ID: 3F1697A1388A846C
1 changed files with 81 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
2021/32xxx/CVE-2021-32795.json
View File

@ -1,18 +1,93 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32795",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Denial of Service via Steam chat in ArchiSteamFarm"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArchiSteamFarm",
"version": {
"version_data": [
{
"version_value": ">= 4.3.0.0, < 4.3.1.0"
}
]
}
}
]
},
"vendor_name": "JustArchiNET"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/JustArchiNET/ArchiSteamFarm/security/advisories/GHSA-5v34-4prm-9474",
"refsource": "CONFIRM",
"url": "https://github.com/JustArchiNET/ArchiSteamFarm/security/advisories/GHSA-5v34-4prm-9474"
},
{
"name": "https://github.com/JustArchiNET/ArchiSteamFarm/commit/4cd581ec041912cf199c5512fe6d1dcaec0594c0",
"refsource": "MISC",
"url": "https://github.com/JustArchiNET/ArchiSteamFarm/commit/4cd581ec041912cf199c5512fe6d1dcaec0594c0"
},
{
"name": "https://steamcommunity.com/groups/archiasf/discussions/1/2935742047969570844/",
"refsource": "MISC",
"url": "https://steamcommunity.com/groups/archiasf/discussions/1/2935742047969570844/"
}
]
},
"source": {
"advisory": "GHSA-5v34-4prm-9474",
"discovery": "UNKNOWN"
}
}