CVE-2022-32166 - OpenCVE

In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks” function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.

CVSS

No CVSS.

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Cloudbase	Open Vswitch

Configuration 1 [-]

cpe:2.3:a:cloudbase:open_vswitch:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/cloudbase/ovs/commit/2ed6505555cdcb46f9b1f0329d1491b75290fc73	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00036.html	Mailing List Third Party Advisory
https://www.mend.io/vulnerability-database/CVE-2022-32166	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mend

Published: 2022-06-01T00:00:00

Updated: 2022-10-29T00:00:00

Reserved: 2022-05-31T00:00:00

Link: CVE-2022-32166

JSON object: View

NVD Information

Status : Modified

Published: 2022-09-28T10:15:09.560

Modified: 2023-11-07T03:47:44.110

Link: CVE-2022-32166

JSON object: View

Redhat Information

No data.

CWE

CWE-125

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32166", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "datePublished": "2022-06-01T00:00:00", "dateUpdated": "2022-10-29T00:00:00", "dateReserved": "2022-05-31T00:00:00"}, "containers": {"cna": {"title": "ovs - buffer over-read", "datePublic": "2022-06-01T00:00:00", "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2022-10-29T00:00:00"}, "descriptions": [{"lang": "en", "value": "In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of \u201cminimasks\u201d function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution."}], "affected": [{"vendor": "ovs", "product": "ovs", "versions": [{"version": "v0.90.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v2.5.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mend.io/vulnerability-database/CVE-2022-32166"}, {"url": "https://github.com/cloudbase/ovs/commit/2ed6505555cdcb46f9b1f0329d1491b75290fc73"}, {"name": "[debian-lts-announce] 20221029 [SECURITY] [DLA 3168-1] openvswitch security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00036.html"}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "metrics": [{"other": {"type": "unknown", "content": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "version": 3.1, "baseScore": 8.8, "baseSeverity": "HIGH"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-125 Out-of-bounds Read", "cweId": "CWE-125"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "solutions": [{"lang": "en", "value": "Update version to v2.5.1 or later"}]}}}