Vulnerability Details : CVE-2015-0563
epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect length value for certain string-append operations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2015-0563
- cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-0563
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-0563
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2015-0563
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-0563
-
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=611cfd00c283e7a77a2f1fd89c01b0b9f691411b
code.wireshark Code Review - wireshark.git/commit
-
http://lists.opensuse.org/opensuse-updates/2015-01/msg00053.html
openSUSE-SU-2015:0113-1: moderate: Security update for wireshark
-
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10823
10823 – Buildbot crash output: fuzz-2015-01-01-29029.pcap
-
http://www.wireshark.org/security/wnpa-sec-2015-04.html
Wireshark · wnpa-sec-2015-04 · SMTP dissector crashVendor Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Oracle Bulletin Board Update - January 2015
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:022
mandriva.com
-
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=854157883bd1972e012c65c0418a9732ef5d9fb0
code.wireshark Code Review - wireshark.git/commit
-
http://www.securityfocus.com/bid/71916
Wireshark SMTP Dissector 'packet-smtp.c' Remote Denial of Service Vulnerability
-
http://advisories.mageia.org/MGASA-2015-0019.html
Mageia Advisory: MGASA-2015-0019 - Updated wireshark packages fix security vulnerabilities
Jump to