Main Vulnerability Database Vulnerabilities #VU36049

Resource exhaustion in graphviz - CVE-2019-9904

Published: March 21, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU36049

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-9904

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Graphviz Project

Affected software:
graphviz

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in libcdtdttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in libcgraphgraph.c in libcgraph.a, related to agfstsubg in libcgraphsubg.c.

How to mitigate CVE-2019-9904

Install update from vendor's website.

Sources

https://gitlab.com/graphviz/graphviz/issues/1512
https://research.loginsoft.com/bugs/stack-buffer-overflow-in-function-agclose-graphviz/

Resource exhaustion in graphviz - CVE-2019-9904

Detailed vulnerability description

How to mitigate CVE-2019-9904

Sources

Please verify you're human