CVE-2024-30259

2024-05-1415:22:15

CWE-120

CWE-122

GitHub_M

web.nvd.nist.gov

fastdds c++ dds datadistributionservice omg bufferoverflow dosattack heapbufferoverflow rtpspacket nvd patchversion.

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

7.2

Confidence

High

EPSS

Percentile

15.5%

JSON

FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves malformed RTPS packet, heap buffer overflow occurs on the subscriber. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.

Affected configurations

Vulners

Vulnrichment

Node

eprosimafast_dds

eprosimafast_ddsRange2.13.0–2.13.5

eprosimafast_ddsRange2.10.0–2.10.4

eprosimafast_ddsRange<2.6.8

VendorProductVersionCPE
eprosimafast_dds*cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
eprosima	fast_dds	*	cpe:2.3:a:eprosima:fast_dds::::::::

CNA Affected

[
  {
    "vendor": "eProsima",
    "product": "Fast-DDS",
    "versions": [
      {
        "version": "= 2.14.0",
        "status": "affected"
      },
      {
        "version": ">= 2.13.0, < 2.13.5",
        "status": "affected"
      },
      {
        "version": ">= 2.10.0, < 2.10.4",
        "status": "affected"
      },
      {
        "version": "< 2.6.8",
        "status": "affected"
      }
    ]
  }
]