Vulnerability Details : CVE-2014-6272
Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-6272
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:libevent_project:libevent:2.1.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-6272
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-6272
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-6272
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-6272
-
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.366317
The Slackware Linux Project: Slackware Security Advisories
-
http://archives.seul.org/libevent/users/Jan-2015/msg00010.html
[Libevent-users] Advisory: integer overflow in evbuffers for Libevent <= 1.4.14b,2.0.21,2.1.4-alpha [CVE-2014-6272]Vendor Advisory
-
https://puppet.com/security/cve/CVE-2014-6272
CVE-2014-6272 | Puppet
-
http://www.debian.org/security/2015/dsa-3119
Debian -- Security Information -- DSA-3119-1 libevent
Jump to