#VU24462 Memory leak in LibreDWG - CVE-2020-6610


Vulnerability identifier: #VU24462

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-6610

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LibreDWG
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description
The vulnerability allows a remote attacker to perform (DoS) attack on the target system.

The vulnerability exists due to memory leak in "read_sections_map" in decode_r2007.c. A remote attacker can perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LibreDWG: 0.9.3.2564

External links
https://github.com/LibreDWG/libredwg/issues/179#issuecomment-570447120

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for libredwg
OpenSUSE Linux update for libredwg
Multiple vulnerabilities in GNU LibreDWG