CVE-2021-41794

{"id": "CVE-2021-41794", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-10-07T15:15:11.200", "references": [{"url": "https://research.nccgroup.com/2021/10/06/technical-advisory-open5gs-stack-buffer-overflow-during-pfcp-session-establishment-on-upf-cve-2021-41794", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "ogs_fqdn_parse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with \"internet\" as the PDI Network Instance. The first character is interpreted as a length value to be used in a memcpy call. The destination buffer is only 100 bytes long on the stack. Then, 'i' gets interpreted as 105 bytes to copy from the source buffer to the destination buffer."}, {"lang": "es", "value": "La funci\u00f3n ogs_fqdn_parse en Open5GS versiones 1.0.0 hasta 2.3.3 conf\u00eda inapropiadamente en un valor de longitud proporcionado por el cliente, conllevando a un desbordamiento del b\u00fafer. El atacante puede enviar una petici\u00f3n de establecimiento de sesi\u00f3n PFCP con \"internet\" como instancia de red PDI. El primer car\u00e1cter es interpretado como un valor de longitud que ser\u00e1 usado en una llamada memcpy. El buffer de destino s\u00f3lo presenta 100 bytes de longitud en la pila. Entonces, \"i\" es interpretado como 105 bytes para copiar del buffer de origen al de destino"}], "lastModified": "2021-10-15T13:26:45.247", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32A56B57-C3B2-4A30-88CA-0370E6CA5F1D", "versionEndIncluding": "2.3.3", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}