Vulnerability Details : CVE-2021-30184
GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in frontend/cmd.cc.
Vulnerability category: OverflowExecute code
Exploit prediction scoring system (EPSS) score for CVE-2021-30184
Probability of exploitation activity in the next 30 days: 0.32%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-30184
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2021-30184
-
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-30184
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QC74RWMDLSQGV6Z3ZABNTPABB33S4YNF/
[SECURITY] Fedora 33 Update: gnuchess-6.2.7-5.fc33 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://security.gentoo.org/glsa/202107-28
GNU Chess: Buffer overflow (GLSA 202107-28) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXOTMUSBVUZNA3JMPG6BU37DQW2YOJWS/
[SECURITY] Fedora 32 Update: gnuchess-6.2.7-5.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html
Buffer Overflows in cmd.ccExploit;Mailing List;Patch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SOGPLC77ZL2FACSOE5MWDS3YH3RBNQAQ/
[SECURITY] Fedora 34 Update: gnuchess-6.2.7-5.fc34 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html
Re: Buffer Overflows in cmd.ccExploit;Mailing List;Vendor Advisory
Products affected by CVE-2021-30184
- cpe:2.3:a:gnu:chess:6.2.7:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*