Уязвимость аварийного завершения работы при обработке HTTP2 пакетов в Wireshark
Описание
В Wireshark обнаружена уязвимость, из-за которой HTTP2 диссектор может вызывать аварийное завершение работы программы. Проблема заключалась в том, что не проверялось наличие данных заголовка перед началом декомпрессии заголовка.
Затронутые версии ПО
- Wireshark версии с 2.6.0 по 2.6.1
- Wireshark версии с 2.4.0 по 2.4.7
- Wireshark версии с 2.2.0 по 2.2.15
Тип уязвимости
Повреждение памяти
Ссылки
- Third Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Issue TrackingVendor Advisory
- Mailing ListThird Party Advisory
- Vendor Advisory
- Third Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Issue TrackingVendor Advisory
- Mailing ListThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
Связанные уязвимости
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the HTTP2 dissector could crash. This was addressed in epan/dissectors/packet-http2.c by verifying that header data was found before proceeding to header decompression.
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the HTTP2 dissector could crash. This was addressed in epan/dissectors/packet-http2.c by verifying that header data was found before proceeding to header decompression.
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the HTTP2 dissector could crash. This was addressed in epan/dissectors/packet-http2.c by verifying that header data was found before proceeding to header decompression.
EPSS
7.5 High
CVSS3
5 Medium
CVSS2