Vulnerability identifier: #VU19191
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-399
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
libcroco
Universal components / Libraries /
Libraries used by multiple products
Vendor: Gnome Development Team
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop and CPU consumption in the "cr_parser_parse_selector_core" function, as defined in the "src/cr-parser.c" file . A remote attacker can persuade a user to access a file that submits malicious input to the system and cause a DoS condition.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
libcroco: 0.6.12
External links
http://bugzilla.gnome.org/show_bug.cgi?id=782649
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.