Out-of-bounds read in Versionize

#VU74175 Out-of-bounds read in Versionize

Published: 2023-03-29

Vulnerability identifier: #VU74175

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28448

CWE-ID: CWE-125

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Versionize
Server applications / Frameworks for developing and running applications

Vendor: firecracker-microvm

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the Versionize::deserialize implementation. A local attacker can trigger an out-of-bounds read error and cause a denial of service condition on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Versionize: 0.1.0 - 0.1.9

External links
http://github.com/firecracker-microvm/versionize/pull/53
http://github.com/firecracker-microvm/versionize/commit/a57a051ba006cfa3b41a0532f484df759e008d47
http://github.com/firecracker-microvm/versionize/security/advisories/GHSA-8vxc-r5wp-vgvc

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in firecracker-microvm Versionize