Resource management error in rsyslog - CVE-2013-4758
Published: October 4, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42487
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-4758
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: rsyslog.com
Affected software:
rsyslog
rsyslog
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Double free vulnerability in the writeDataError function in the ElasticSearch plugin (omelasticsearch) in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted JSON response.
How to mitigate CVE-2013-4758
Install update from vendor's website.