CVE-2019-14850

A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:N/I:N/A:P

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1757258	Issue Tracking Patch Third Party Advisory
https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html	Exploit Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nbdkit_project:nbdkit::::::::
	cpe:2.3:a:nbdkit_project:nbdkit::::::::
	cpe:2.3:a:nbdkit_project:nbdkit::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:virtualization:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0::::advanced_virtualization:::
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*

History

24 Mar 2021, 18:05

Type	Values Removed	Values Added
References	~~(MISC) https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html -~~	(MISC) https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html - Exploit, Mailing List, Third Party Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1757258 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1757258 - Issue Tracking, Patch, Third Party Advisory
CPE		cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:a:nbdkit_project:nbdkit:::::::: cpe:2.3:o:redhat:enterprise_linux:8.0::::advanced_virtualization::: cpe:2.3:a:redhat:virtualization:4.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.6 v3 : 3.7

18 Mar 2021, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-03-18 19:15

Updated : 2023-12-10 13:41

NVD link : CVE-2019-14850

Mitre link : CVE-2019-14850

CVE.ORG link : CVE-2019-14850

JSON object : View

Products Affected

nbdkit_project

nbdkit

redhat

virtualization
enterprise_linux_server
enterprise_linux

CWE

CWE-406

Insufficient Control of Network Message Volume (Network Amplification)

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

2.6 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2019-14850

3.7^/10

2.6^/10

Attach tags to `CVE-2019-14850`