Vulnerability Details : CVE-2020-28030
Potential exploit
In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was addressed in epan/dissectors/packet-gquic.c by correcting the implementation of offset advancement.
Products affected by CVE-2020-28030
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-28030
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-28030
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-28030
-
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Assigned by: nvd@nist.gov (Primary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-28030
-
https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b
GQUIC: make sure our tag offset advances. (b287e716) · Commits · Wireshark Foundation / wireshark · GitLabPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2667E6WKVE56G66BVBVD7LJPIDOJ7K3/
[SECURITY] Fedora 32 Update: wireshark-3.4.0-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.wireshark.org/security/wnpa-sec-2020-15.html
Wireshark · wnpa-sec-2020-15 · GQUIC dissector crashVendor Advisory
-
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
[SECURITY] [DLA 2547-1] wireshark security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHZSVK7PO2LTGFQXFHFXY6SOMSQ7UPRS/
[SECURITY] Fedora 33 Update: wireshark-3.4.0-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://gitlab.com/wireshark/wireshark/-/issues/16887
Not FoundExploit;Issue Tracking;Third Party Advisory
Jump to