Vulnerability Details : CVE-2019-13619
Potential exploit
In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash. This was addressed in epan/asn1.c by properly restricting buffer increments.
Vulnerability category: Overflow
Products affected by CVE-2019-13619
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13619
4.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13619
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-13619
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13619
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY52XAC2UNC4X4ZPIXYMK5SVXV2PO5I3/
[SECURITY] Fedora 30 Update: wireshark-3.0.3-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00068.html
[security-announce] openSUSE-SU-2019:1965-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html
[security-announce] openSUSE-SU-2020:0362-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
[SECURITY] [DLA 2547-1] wireshark security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4QVJALLGVVC7MBUT4B4SHQVDXGJKGI7/
[SECURITY] Fedora 29 Update: wireshark-3.0.3-1.fc29 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://usn.ubuntu.com/4133-1/
USN-4133-1: Wireshark vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securityfocus.com/bid/109293
Wireshark CVE-2019-13619 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7e90aed666e809c0db5de9d1816802a7dcea28d9
code.wireshark Code Review - wireshark.git/commitMailing List;Patch;Vendor Advisory
-
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15870
15870 – [oss-fuzz] #15221 Heap-buffer-overflow in asn1_get_realExploit;Issue Tracking;Vendor Advisory
-
https://www.wireshark.org/security/wnpa-sec-2019-20.html
Wireshark · wnpa-sec-2019-20 · ASN.1 BER and related dissectors crashVendor Advisory
Jump to