CVE-2021-41253

{"id": "CVE-2021-41253", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2021-11-08T22:15:16.757", "references": [{"url": "https://github.com/zyantific/zydis/commit/55dd08c210722aed81b38132f5fd4a04ec1943b5", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zyantific/zydis/security/advisories/GHSA-q42v-hv86-3m4g", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://huntr.dev/bounties/96b0a482-7041-45b1-9327-c6a4a8f32d3a", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://huntr.dev/bounties/d2536d7d-36ce-4723-928c-98d1ee039784", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-908"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-457"}]}], "descriptions": [{"lang": "en", "value": "Zydis is an x86/x86-64 disassembler library. Users of Zydis versions v3.2.0 and older that use the string functions provided in `zycore` in order to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like `ZyanStringAppend` to make incorrect calculations for the new target size, resulting in heap memory corruption. This does not affect the regular uncustomized Zydis formatter, because Zydis internally doesn't use the string functions in zycore that act upon these fields. However, because the zycore string functions are the intended way to work with the formatter buffer for users of the library that wish to extend the formatter, we still consider this to be a vulnerability in Zydis. This bug is patched starting in version 3.2.1. As a workaround, users may refrain from using zycore string functions in their formatter hooks until updating to a patched version."}, {"lang": "es", "value": "Zydis es una biblioteca de desensamblador x86/x86-64. Los usuarios de Zydis versiones v3.2.0 y anteriores que usan las funciones de cadena proporcionadas en \"zycore\" para a\u00f1adir datos de usuario no confiables al buffer del formateador dentro de sus hooks de formateo personalizados pueden encontrarse con desbordamientos del buffer de la pila. Las versiones m\u00e1s antiguas de Zydis no inicializaban correctamente el objeto string dentro del buffer del formateador, olvidando inicializar algunos campos, dejando su valor al azar. Esto pod\u00eda causar a su vez que las funciones de zycore como \"ZyanStringAppend\" hicieran c\u00e1lculos incorrectos para el nuevo tama\u00f1o de destino, resultando en una corrupci\u00f3n de la memoria de la pila. Esto no afecta al formateador normal de Zydis no personalizado, porque Zydis internamente no usa las funciones de cadena de zycore que act\u00faan sobre estos campos. Sin embargo, debido a que las funciones de cadena de zycore son la forma prevista de trabajar con el buffer del formateador para los usuarios de la biblioteca que desean extender el formateador, todav\u00eda consideramos que esto es una vulnerabilidad en Zydis. Este bug est\u00e1 parcheado a partir de la versi\u00f3n 3.2.1. Como soluci\u00f3n, los usuarios pueden abstenerse de usar las funciones de cadena de zycore en sus ganchos de formateo hasta que se actualicen a una versi\u00f3n parcheada"}], "lastModified": "2022-10-24T16:07:22.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zyantific:zydis:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3224BFA-FA43-444D-B652-4EC8235D3076", "versionEndIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}