mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
117 lines
4.1 KiB
JSON
117 lines
4.1 KiB
JSON
{
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"data_version": "4.0",
|
|
"CVE_data_meta": {
|
|
"DATE_PUBLIC": "2022-09-21T09:39:29.000Z",
|
|
"ID": "CVE-2022-2881",
|
|
"ASSIGNER": "security-officer@isc.org",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "Buffer overread in statistics channel code"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "BIND9",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_name": "Open Source Branch 9.18",
|
|
"version_value": "9.18.0 through versions before 9.18.7"
|
|
},
|
|
{
|
|
"version_name": "Development Branch 9.19",
|
|
"version_value": "9.19.0 through versions before 9.19.5"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "ISC"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"credit": [],
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process."
|
|
}
|
|
]
|
|
},
|
|
"exploit": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "This flaw was discovered in internal testing. We are not aware of any active exploits."
|
|
}
|
|
],
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 5.5,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "LOW",
|
|
"integrityImpact": "NONE",
|
|
"privilegesRequired": "HIGH",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In BIND 9.18.0 -> 9.18.6 and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, when an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"name": "https://kb.isc.org/docs/cve-2022-2881",
|
|
"refsource": "CONFIRM",
|
|
"url": "https://kb.isc.org/docs/cve-2022-2881"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)",
|
|
"url": "http://www.openwall.com/lists/oss-security/2022/09/21/3"
|
|
},
|
|
{
|
|
"refsource": "GENTOO",
|
|
"name": "GLSA-202210-25",
|
|
"url": "https://security.gentoo.org/glsa/202210-25"
|
|
}
|
|
]
|
|
},
|
|
"solution": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Upgrade to the patched release most closely related to your current version of BIND: BIND 9.18.7 or BIND 9.19.5."
|
|
}
|
|
],
|
|
"source": {
|
|
"discovery": "INTERNAL"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Disable the statistics channel."
|
|
}
|
|
]
|
|
} |