cnvd - cnvd-2021-53909

CNVD-2021-53909

Vulnerability from cnvd - Published: 2021-07-23

Title

Mintty拒绝服务漏洞

Description

Mintty是应用软件Cygwin终端仿真器，也可用于MSYS 和Msys2。 Mintty存在安全漏洞，攻击者可利用漏洞导致拒绝服务(Windows GUI挂起)通过告诉Mintty窗口反复改变其标题在高速，这导致许多setwindowtextta或SetWindowTextW调用。

Severity

中

Patch Name

Mintty拒绝服务漏洞的补丁

Patch Description

Mintty是应用软件Cygwin终端仿真器，也可用于MSYS 和Msys2。 Mintty存在安全漏洞，攻击者可利用漏洞导致拒绝服务(Windows GUI挂起)通过告诉Mintty窗口反复改变其标题在高速，这导致许多setwindowtextta或SetWindowTextW调用。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/mintty/mintty/compare/3.4.4...3.4.5

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-28848

Impacted products

Name
mintty Mintty <3.4.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-28848"
    }
  },
  "description": "Mintty\u662f\u5e94\u7528\u8f6f\u4ef6Cygwin\u7ec8\u7aef\u4eff\u771f\u5668\uff0c\u4e5f\u53ef\u7528\u4e8eMSYS \u548cMsys2\u3002\n\nMintty\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1(Windows GUI\u6302\u8d77)\u901a\u8fc7\u544a\u8bc9Mintty\u7a97\u53e3\u53cd\u590d\u6539\u53d8\u5176\u6807\u9898\u5728\u9ad8\u901f\uff0c\u8fd9\u5bfc\u81f4\u8bb8\u591asetwindowtextta\u6216SetWindowTextW\u8c03\u7528\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/mintty/mintty/compare/3.4.4...3.4.5",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-53909",
  "openTime": "2021-07-23",
  "patchDescription": "Mintty\u662f\u5e94\u7528\u8f6f\u4ef6Cygwin\u7ec8\u7aef\u4eff\u771f\u5668\uff0c\u4e5f\u53ef\u7528\u4e8eMSYS \u548cMsys2\u3002\r\n\r\nMintty\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1(Windows GUI\u6302\u8d77)\u901a\u8fc7\u544a\u8bc9Mintty\u7a97\u53e3\u53cd\u590d\u6539\u53d8\u5176\u6807\u9898\u5728\u9ad8\u901f\uff0c\u8fd9\u5bfc\u81f4\u8bb8\u591asetwindowtextta\u6216SetWindowTextW\u8c03\u7528\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mintty\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "mintty Mintty \u003c3.4.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-28848",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-04",
  "title": "Mintty\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2021-28848 (GCVE-0-2021-28848)

Vulnerability from cvelistv5 – Published: 2021-06-03 11:11 – Updated: 2024-08-03 21:55

Summary

Mintty before 3.4.5 allows remote servers to cause a denial of service (Windows GUI hang) by telling the Mintty window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. In other words, it does not implement a usleep or similar delay upon processing a title change.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://mintty.github.io/	x_refsource_MISC
	https://github.com/mintty/mintty/commit/bd5210999…	x_refsource_CONFIRM
	https://github.com/mintty/mintty/compare/3.4.4...3.4.5	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:11.649Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mintty.github.io/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/mintty/mintty/commit/bd52109993440b6996760aaccb66e68e782762b9"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/mintty/mintty/compare/3.4.4...3.4.5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mintty before 3.4.5 allows remote servers to cause a denial of service (Windows GUI hang) by telling the Mintty window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. In other words, it does not implement a usleep or similar delay upon processing a title change."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-03T11:11:18",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mintty.github.io/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mintty/mintty/commit/bd52109993440b6996760aaccb66e68e782762b9"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mintty/mintty/compare/3.4.4...3.4.5"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28848",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Mintty before 3.4.5 allows remote servers to cause a denial of service (Windows GUI hang) by telling the Mintty window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. In other words, it does not implement a usleep or similar delay upon processing a title change."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mintty.github.io/",
              "refsource": "MISC",
              "url": "https://mintty.github.io/"
            },
            {
              "name": "https://github.com/mintty/mintty/commit/bd52109993440b6996760aaccb66e68e782762b9",
              "refsource": "CONFIRM",
              "url": "https://github.com/mintty/mintty/commit/bd52109993440b6996760aaccb66e68e782762b9"
            },
            {
              "name": "https://github.com/mintty/mintty/compare/3.4.4...3.4.5",
              "refsource": "CONFIRM",
              "url": "https://github.com/mintty/mintty/compare/3.4.4...3.4.5"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28848",
    "datePublished": "2021-06-03T11:11:18",
    "dateReserved": "2021-03-19T00:00:00",
    "dateUpdated": "2024-08-03T21:55:11.649Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-53909

CVE-2021-28848 (GCVE-0-2021-28848)

Tags

Sightings

Nomenclature