Vulnerability Details : CVE-2015-8712
The dissect_hsdsch_channel_info function in epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not validate the number of PDUs, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
Vulnerability category: Input validationDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2015-8712
Probability of exploitation activity in the next 30 days: 0.25%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 62 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-8712
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2015-8712
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8712
-
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11602
11602 – NBAP dissector crashes
-
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2ae329a47b7f0ac94089c23e79c6b8bc18ba80ea
code.wireshark Code Review - wireshark.git/commit
-
https://security.gentoo.org/glsa/201604-05
Wireshark: Multiple vulnerabilities (GLSA 201604-05) — Gentoo security
-
http://www.securityfocus.com/bid/79816
Wireshark Multiple Denial of Service Vulnerabilities
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
Oracle Solaris Bulletin - January 2016
-
http://www.wireshark.org/security/wnpa-sec-2015-32.html
Wireshark · wnpa-sec-2015-32 · UMTS FP dissector crashesVendor Advisory
-
http://www.securitytracker.com/id/1034551
Wireshark Multiple Dissector/Parser Bugs Let Remote Users Deny Service - SecurityTracker
-
http://www.debian.org/security/2016/dsa-3505
Debian -- Security Information -- DSA-3505-1 wireshark
Products affected by CVE-2015-8712
- cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.4:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.5:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.6:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.7:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.12.8:*:*:*:*:*:*:*