CVE-2021-33897 - OpenCVE

A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes. This file is mishandled during a deletion attempt. In Synthesia before 10.9, an improper path handling allows local attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Synthesiagame	Synthesia

Configuration 1 [-]

cpe:2.3:a:synthesiagame:synthesia:*:*:*:*:*:*:*:*

References

Link	Resource
https://isopach.dev/CVE-2021-33897	Third Party Advisory
https://synthesiagame.com/news	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-17T00:00:00

Updated: 2022-11-17T00:00:00

Reserved: 2021-06-06T00:00:00

Link: CVE-2021-33897

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-11-17T21:15:12.350

Modified: 2022-11-21T20:01:08.487

Link: CVE-2021-33897

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synthesiagame:synthesia:*:*:*:*:*:*:*:*", "matchCriteriaId": "4713B975-BD98-4198-8DAD-A550D3FFE420", "versionEndIncluding": "10.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes. This file is mishandled during a deletion attempt. In Synthesia before 10.9, an improper path handling allows local attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes."}, {"lang": "es", "value": "Un desbordamiento de b\u00fafer en Synthesia anterior a 10.7.5567, cuando se utiliza una configuraci\u00f3n regional no latina, permite a atacantes con la ayuda del usuario provocar una denegaci\u00f3n de servicio (ca\u00edda de la aplicaci\u00f3n) a trav\u00e9s de un archivo MIDI manipulado con bytes con un formato incorrecto. Este archivo se maneja mal durante un intento de borrado. En Synthesia anterior a 10.9, un manejo inadecuado de la ruta permite a atacantes locales provocar una denegaci\u00f3n de servicio (ca\u00edda de la aplicaci\u00f3n) a trav\u00e9s de un archivo MIDI manipulado con bytes con formato incorrecto."}], "id": "CVE-2021-33897", "lastModified": "2022-11-21T20:01:08.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-17T21:15:12.350", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://isopach.dev/CVE-2021-33897"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://synthesiagame.com/news"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}