CVE-2020-5234 - OpenCVE

MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:S/C:N/I:N/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Messagepack	Messagepack

Configuration 1 [-]

OR	cpe:2.3:a:messagepack:messagepack::::::c\#::*
	cpe:2.3:a:messagepack:messagepack::::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.94:alpha::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.110:alpha::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.119:beta::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.123:beta::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.204:beta::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.270:rc::::c\#::*
	cpe:2.3:a:messagepack:messagepack:2.0.299:rc::::c\#::*

References

Link	Resource
https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02	Patch Third Party Advisory
https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007
https://github.com/neuecc/MessagePack-CSharp/issues/810
https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-31T17:50:14

Updated: 2020-02-24T22:55:06

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5234

JSON object: View

NVD Information

Status : Modified

Published: 2020-01-31T18:15:11.860

Modified: 2020-02-24T23:15:13.517

Link: CVE-2020-5234

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "MessagePack", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}, {"product": "MessagePack.ImmutableCollection", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}, {"product": "MessagePack.ReactiveProperty", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}, {"product": "MessagePack.UnityShims", "vendor": "neuecc", "versions": [{"status": "affected", "version": "< 1.9.11"}, {"status": "affected", "version": ">= 2.0.0, < 2.1.90"}]}], "descriptions": [{"lang": "en", "value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-24T22:55:06", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}], "source": {"advisory": "GHSA-7q36-4xx7-xcxf", "discovery": "UNKNOWN"}, "title": "Untrusted data can lead to DoS attack in MessagePack for C# and Unity", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5234", "STATE": "PUBLIC", "TITLE": "Untrusted data can lead to DoS attack in MessagePack for C# and Unity"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MessagePack", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}, {"product_name": "MessagePack.ImmutableCollection", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}, {"product_name": "MessagePack.ReactiveProperty", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}, {"product_name": "MessagePack.UnityShims", "version": {"version_data": [{"version_value": "< 1.9.11"}, {"version_value": ">= 2.0.0, < 2.1.90"}]}}]}, "vendor_name": "neuecc"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-121: Stack-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf", "refsource": "CONFIRM", "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}, {"name": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02", "refsource": "MISC", "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"name": "https://github.com/neuecc/MessagePack-CSharp/issues/810", "refsource": "MISC", "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"name": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007", "refsource": "MISC", "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}]}, "source": {"advisory": "GHSA-7q36-4xx7-xcxf", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5234", "datePublished": "2020-01-31T17:50:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2020-02-24T22:55:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "matchCriteriaId": "6E3E3D7A-9BC4-4387-9EBD-EE1DEE62266D", "versionEndExcluding": "1.9.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "matchCriteriaId": "F24DBCF3-4F9D-4409-9343-7B258B4F1B3F", "versionEndExcluding": "2.1.80", "versionStartIncluding": "2.0.323", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.94:alpha:*:*:*:c\\#:*:*", "matchCriteriaId": "5507008B-B8F8-4147-8E65-1481E479ABE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.110:alpha:*:*:*:c\\#:*:*", "matchCriteriaId": "37BBAB86-0E12-4B68-A325-C168F7BB2C1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.119:beta:*:*:*:c\\#:*:*", "matchCriteriaId": "C1D65411-111F-4243-AFC7-F561CED839B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.123:beta:*:*:*:c\\#:*:*", "matchCriteriaId": "D61D5CEA-5EB9-4C11-B379-604D8DE9F368", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.204:beta:*:*:*:c\\#:*:*", "matchCriteriaId": "129F03B4-C739-4EE9-ADCA-D9DC9337101E", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.270:rc:*:*:*:c\\#:*:*", "matchCriteriaId": "C6BB270F-6012-4C07-A070-E1F13048A439", "vulnerable": true}, {"criteria": "cpe:2.3:a:messagepack:messagepack:2.0.299:rc:*:*:*:c\\#:*:*", "matchCriteriaId": "CB524CF3-98FF-41DF-9C44-553ED740152D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."}, {"lang": "es", "value": "MessagePack para C # y Unity anterior a la versi\u00f3n 1.9.11 y 2.1.90 tiene una vulnerabilidad en la que los datos no seguros pueden provocar un ataque DoS debido a colisiones hash y desbordamiento de pila. Revise el Aviso de seguridad de GitHub vinculado para obtener m\u00e1s informaci\u00f3n y pasos de reparaci\u00f3n."}], "id": "CVE-2020-5234", "lastModified": "2020-02-24T23:15:13.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-31T18:15:11.860", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"}, {"source": "security-advisories@github.com", "url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"}, {"source": "security-advisories@github.com", "url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}]}