CVE-2019-13114 : http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial

http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.

Published 2019-06-30 23:15:10

Updated 2023-01-13 16:09:47

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2019-13114

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Exiv2 » Exiv2
Versions up to, including, (<=) 0.27.1
cpe:2.3:a:exiv2:exiv2:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-13114

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 48 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-13114

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-13114

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-13114

https://usn.ubuntu.com/4056-1/

USN-4056-1: Exiv2 vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGBT5OD2TF4AIXJUC56WOUJRHAZLZ4DC/

[SECURITY] Fedora 30 Update: exiv2-0.27.2-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/Exiv2/exiv2/issues/793

null pointer dereference in http.cpp · Issue #793 · Exiv2/exiv2 · GitHub
Exploit;Patch;Third Party Advisory
https://github.com/Exiv2/exiv2/pull/815

Avoid null pointer exception due to NULL return value from strchr by kevinbackhouse · Pull Request #815 · Exiv2/exiv2 · GitHub
Patch;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html

[security-announce] openSUSE-SU-2020:0482-1: moderate: Security update f
Broken Link

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html

[SECURITY] [DLA 3265-1] exiv2 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.f5.com/csp/article/K45429077?utm_source=f5support&utm_medium=RSS

Third Party Advisory

Jump to

Vulnerability Details : CVE-2019-13114

Products affected by CVE-2019-13114

Exploit prediction scoring system (EPSS) score for CVE-2019-13114

CVSS scores for CVE-2019-13114

CWE ids for CVE-2019-13114

References for CVE-2019-13114