CVE-2023-39947

2023-08-1114:15:13

CWE-122

CWE-787

[email protected]

web.nvd.nist.gov

eprosima

fast dds

heap overflow

vulnerability

remote crash

pid_property_list

patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

40.8%

JSON

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed PID_PROPERTY_LIST parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.

Affected configurations

Nvd

Node

eprosimafast_ddsRange2.6.0–2.6.6

eprosimafast_ddsRange2.9.0–2.9.2

eprosimafast_ddsRange2.10.0–2.10.2

eprosimafast_ddsMatch2.11.0

Node

debiandebian_linuxMatch11.0

debiandebian_linuxMatch12.0

VendorProductVersionCPE
eprosimafast_dds*cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*
eprosimafast_dds2.11.0cpe:2.3:a:eprosima:fast_dds:2.11.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
debiandebian_linux12.0cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
eprosima	fast_dds	*	cpe:2.3:a:eprosima:fast_dds::::::::
eprosima	fast_dds	2.11.0	cpe:2.3:a:eprosima:fast_dds:2.11.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*
debian	debian_linux	12.0	cpe:2.3:o:debian:debian_linux:12.0:::::::*