CVE-2019-11023 : The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1

The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv.

Published 2019-04-08 23:29:01

Updated 2020-06-30 00:15:11

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2019-11023

Graphviz » Graphviz » Version: 2.39.20160612.1140
cpe:2.3:a:graphviz:graphviz:2.39.20160612.1140:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.72%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 71 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Assigned by: nvd@nist.gov (Primary)

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00065.html

[security-announce] openSUSE-SU-2019:1459-1: moderate: Security update f
https://gitlab.com/graphviz/graphviz/issues/1517

Null pointer dereference in function agroot() (#1517) · Issues · graphviz / graphviz · GitLab
Exploit;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FI3D5TQE3IMCSF5OUTXQL4GVKFCIY5JG/

[SECURITY] Fedora 30 Update: graphviz-2.40.1-46.fc30 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLEAHLDJVMAEGA3YMC7KPKJ7ZPXNMJID/

[SECURITY] Fedora 29 Update: graphviz-2.40.1-39.fc29 - package-announce - Fedora Mailing-Lists
https://research.loginsoft.com/bugs/null-pointer-dereference-in-function-agroot/

CVE-2019-11023: Null pointer dereference in function agroot() - Graphiz-2.39.20160612.1140 - Loginsoft Research
Exploit;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00056.html

[security-announce] openSUSE-SU-2020:0876-1: moderate: Security update f
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00065.html

[security-announce] openSUSE-SU-2020:0906-1: moderate: Security update f
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00054.html

[security-announce] openSUSE-SU-2019:1434-1: moderate: Security update f

Jump to