CVE-2013-7239 - OpenCVE

memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials.

No CVSS v3.1

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:A/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Memcached	Memcached

Configuration 1 [-]

OR	cpe:2.3:a:memcached:memcached::::::::
	cpe:2.3:a:memcached:memcached:1.4.0:::::::*
	cpe:2.3:a:memcached:memcached:1.4.1:::::::*
	cpe:2.3:a:memcached:memcached:1.4.2:::::::*
	cpe:2.3:a:memcached:memcached:1.4.3:::::::*
	cpe:2.3:a:memcached:memcached:1.4.4:::::::*
	cpe:2.3:a:memcached:memcached:1.4.5:::::::*
	cpe:2.3:a:memcached:memcached:1.4.6:::::::*
	cpe:2.3:a:memcached:memcached:1.4.7:::::::*
	cpe:2.3:a:memcached:memcached:1.4.8:::::::*
	cpe:2.3:a:memcached:memcached:1.4.9:::::::*
	cpe:2.3:a:memcached:memcached:1.4.10:::::::*
	cpe:2.3:a:memcached:memcached:1.4.11:::::::*
	cpe:2.3:a:memcached:memcached:1.4.12:::::::*
	cpe:2.3:a:memcached:memcached:1.4.13:::::::*
	cpe:2.3:a:memcached:memcached:1.4.14:::::::*
	cpe:2.3:a:memcached:memcached:1.4.15:::::::*

References

Link	Resource
http://seclists.org/oss-sec/2013/q4/572
http://secunia.com/advisories/56183	Vendor Advisory
http://www.debian.org/security/2014/dsa-2832
http://www.securityfocus.com/bid/64559
http://www.ubuntu.com/usn/USN-2080-1
https://code.google.com/p/memcached/wiki/ReleaseNotes1417	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2014-01-13T21:00:00

Updated: 2018-03-24T09:57:01

Reserved: 2013-12-30T00:00:00

Link: CVE-2013-7239

JSON object: View

NVD Information

Status : Modified

Published: 2014-01-13T21:55:05.230

Modified: 2018-03-25T01:29:00.633

Link: CVE-2013-7239

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-12-20T00:00:00", "descriptions": [{"lang": "en", "value": "memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-24T09:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "64559", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64559"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://code.google.com/p/memcached/wiki/ReleaseNotes1417"}, {"name": "[oss-security] 20131230 Re: CVE Request: SASL authentication allows wrong credentials to access memcache", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2013/q4/572"}, {"name": "USN-2080-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2080-1"}, {"name": "DSA-2832", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2832"}, {"name": "56183", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56183"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2013-7239", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "64559", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64559"}, {"name": "https://code.google.com/p/memcached/wiki/ReleaseNotes1417", "refsource": "CONFIRM", "url": "https://code.google.com/p/memcached/wiki/ReleaseNotes1417"}, {"name": "[oss-security] 20131230 Re: CVE Request: SASL authentication allows wrong credentials to access memcache", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2013/q4/572"}, {"name": "USN-2080-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2080-1"}, {"name": "DSA-2832", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2832"}, {"name": "56183", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56183"}]}}}}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2013-7239", "datePublished": "2014-01-13T21:00:00", "dateReserved": "2013-12-30T00:00:00", "dateUpdated": "2018-03-24T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BC2D838-BD98-438F-8B8A-C2C26E129E63", "versionEndIncluding": "1.4.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "9D6D790C-560B-460F-A175-B47A5AFAA9F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "358D87E0-9392-4C00-94CE-C14BC408BCF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "CE58473C-3D01-4519-B1F9-1F1808191EDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "F45F2A98-7146-4501-B2A7-A376204DCFD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "C1F4CD0E-CB74-4D72-ABDF-97820DE6A595", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "0BC45B91-2C50-4D9A-9D8D-026249FB4B4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "8FE2B6E7-1066-4D7D-9346-F03487EAE77C", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.7:*:*:*:*:*:*:*", "matchCriteriaId": "DC04F90C-2813-44F8-B48D-9EAF6E8B78A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "1E305092-2CFD-4A94-BCE5-7F9AAEDB74D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "924552C6-BF90-49F1-A562-620196503246", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "92EFE814-FA06-487A-8E5F-CD00457334A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "2AB6AF32-7B4B-4FEB-BE5D-A260852ED0DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.12:*:*:*:*:*:*:*", "matchCriteriaId": "A93A9113-B3AE-4952-9B98-B296DB7580B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.13:*:*:*:*:*:*:*", "matchCriteriaId": "F60CAEF4-EDD2-474D-99AE-AFBDE73BBBCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.14:*:*:*:*:*:*:*", "matchCriteriaId": "29C9CE6E-6330-4346-8989-2A7DA7BFD19A", "vulnerable": true}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.15:*:*:*:*:*:*:*", "matchCriteriaId": "01E082CD-A502-4CD2-8995-2086217205A6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials."}, {"lang": "es", "value": "memcached anterior 1.4.17 permite a atacantes remotos evadir la autenticaci\u00f3n mediante el env\u00edo de una petici\u00f3n inv\u00e1lida con credenciales SASL, luego enviar otra petici\u00f3n con credenciales SASL incorrectas."}], "id": "CVE-2013-7239", "lastModified": "2018-03-25T01:29:00.633", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-13T21:55:05.230", "references": [{"source": "security@debian.org", "url": "http://seclists.org/oss-sec/2013/q4/572"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/56183"}, {"source": "security@debian.org", "url": "http://www.debian.org/security/2014/dsa-2832"}, {"source": "security@debian.org", "url": "http://www.securityfocus.com/bid/64559"}, {"source": "security@debian.org", "url": "http://www.ubuntu.com/usn/USN-2080-1"}, {"source": "security@debian.org", "tags": ["Patch"], "url": "https://code.google.com/p/memcached/wiki/ReleaseNotes1417"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}