Vulnerability Details : CVE-2015-2059
The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
Vulnerability category: Overflow
Products affected by CVE-2015-2059
- cpe:2.3:a:gnu:libidn:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2059
0.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2059
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2015-2059
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2059
-
http://www.debian.org/security/2016/dsa-3578
Debian -- Security Information -- DSA-3578-1 libidn
-
http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.html
openSUSE-SU-2015:1261-1: moderate: Security update for libidnThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html
openSUSE-SU-2016:2135-1: moderate: Security update for libidn
-
http://www.securityfocus.com/bid/72736
jabberd CVE-2015-2059 Out of Bounds Read Memory Corruption Vulnerability
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html
[SECURITY] Fedora 21 Update: libidn-1.31-1.fc21Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2015/02/23/25
oss-security - Re: CVE Request: jabberd remote information disclosureMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-3068-1
USN-3068-1: Libidn vulnerabilities | Ubuntu security notices
-
https://github.com/jabberd2/jabberd2/issues/85
Stringprep calls may reveal random memory · Issue #85 · jabberd2/jabberd2 · GitHubPatch;Issue Tracking;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.html
[SECURITY] Fedora 22 Update: libidn-1.31-1.fc22Third Party Advisory
-
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279
libidn.git - GNU libidnPatch;Issue Tracking
Jump to