GSD-2020-5234
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-5234",
"description": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.",
"id": "GSD-2020-5234"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-5234"
],
"details": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.",
"id": "GSD-2020-5234",
"modified": "2023-12-13T01:22:03.207135Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5234",
"STATE": "PUBLIC",
"TITLE": "Untrusted data can lead to DoS attack in MessagePack for C# and Unity"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MessagePack",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.11"
},
{
"version_value": "\u003e= 2.0.0, \u003c 2.1.90"
}
]
}
},
{
"product_name": "MessagePack.ImmutableCollection",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.11"
},
{
"version_value": "\u003e= 2.0.0, \u003c 2.1.90"
}
]
}
},
{
"product_name": "MessagePack.ReactiveProperty",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.11"
},
{
"version_value": "\u003e= 2.0.0, \u003c 2.1.90"
}
]
}
},
{
"product_name": "MessagePack.UnityShims",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.11"
},
{
"version_value": "\u003e= 2.0.0, \u003c 2.1.90"
}
]
}
}
]
},
"vendor_name": "neuecc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121: Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf",
"refsource": "CONFIRM",
"url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"
},
{
"name": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02",
"refsource": "MISC",
"url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"
},
{
"name": "https://github.com/neuecc/MessagePack-CSharp/issues/810",
"refsource": "MISC",
"url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"
},
{
"name": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007",
"refsource": "MISC",
"url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"
}
]
},
"source": {
"advisory": "GHSA-7q36-4xx7-xcxf",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,1.9.11),[2.0.0,2.1.90)",
"affected_versions": "All versions before 1.9.11, all versions starting from 2.0.0 before 2.1.90",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-787",
"CWE-937"
],
"date": "2021-04-06",
"description": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.",
"fixed_versions": [
"1.9.11",
"2.1.90"
],
"identifier": "CVE-2020-5234",
"identifiers": [
"GHSA-7q36-4xx7-xcxf",
"CVE-2020-5234"
],
"not_impacted": "All versions starting from 1.9.11 before 2.0.0, all versions starting from 2.1.90",
"package_slug": "nuget/MessagePack.ImmutableCollection",
"pubdate": "2020-01-31",
"solution": "Upgrade to versions 1.9.11, 2.1.90 or above.",
"title": "Out-of-bounds Write",
"urls": [
"https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf",
"https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02",
"https://nvd.nist.gov/vuln/detail/CVE-2020-5234",
"https://github.com/neuecc/MessagePack-CSharp/issues/810",
"https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007",
"https://github.com/aspnet/Announcements/issues/405",
"https://github.com/advisories/GHSA-7q36-4xx7-xcxf"
],
"uuid": "d6b15e48-4e35-479b-ab3c-01aada872a9a"
},
{
"affected_range": "(,1.9.11),[2.0.0,2.1.90)",
"affected_versions": "All versions before 1.9.11, all versions starting from 2.0.0 before 2.1.90",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-787",
"CWE-937"
],
"date": "2021-04-06",
"description": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.",
"fixed_versions": [
"1.9.11",
"2.1.90"
],
"identifier": "CVE-2020-5234",
"identifiers": [
"GHSA-7q36-4xx7-xcxf",
"CVE-2020-5234"
],
"not_impacted": "All versions starting from 1.9.11 before 2.0.0, all versions starting from 2.1.90",
"package_slug": "nuget/MessagePack.ReactiveProperty",
"pubdate": "2020-01-31",
"solution": "Upgrade to versions 1.9.11, 2.1.90 or above.",
"title": "Out-of-bounds Write",
"urls": [
"https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf",
"https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02",
"https://nvd.nist.gov/vuln/detail/CVE-2020-5234",
"https://github.com/neuecc/MessagePack-CSharp/issues/810",
"https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007",
"https://github.com/aspnet/Announcements/issues/405",
"https://github.com/advisories/GHSA-7q36-4xx7-xcxf"
],
"uuid": "e89788a8-c56c-4d87-a246-013a8679e0da"
},
{
"affected_range": "(,1.9.11),[2.0.0,2.1.90)",
"affected_versions": "All versions before 1.9.11, all versions starting from 2.0.0 before 2.1.90",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-787",
"CWE-937"
],
"date": "2021-04-06",
"description": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.",
"fixed_versions": [
"1.9.11",
"2.1.90"
],
"identifier": "CVE-2020-5234",
"identifiers": [
"GHSA-7q36-4xx7-xcxf",
"CVE-2020-5234"
],
"not_impacted": "All versions starting from 1.9.11 before 2.0.0, all versions starting from 2.1.90",
"package_slug": "nuget/MessagePack.UnityShims",
"pubdate": "2020-01-31",
"solution": "Upgrade to versions 1.9.11, 2.1.90 or above.",
"title": "Out-of-bounds Write",
"urls": [
"https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf",
"https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02",
"https://nvd.nist.gov/vuln/detail/CVE-2020-5234",
"https://github.com/neuecc/MessagePack-CSharp/issues/810",
"https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007",
"https://github.com/aspnet/Announcements/issues/405",
"https://github.com/advisories/GHSA-7q36-4xx7-xcxf"
],
"uuid": "e9002df8-8b95-45eb-b8b9-281d39bce58d"
},
{
"affected_range": "(,1.9.3),[2.0.94],[2.0.110],[2.0.119],[2.0.123],[2.0.204],[2.0.270],[2.0.299],[2.0.323,2.1.80)",
"affected_versions": "All versions before 1.9.3, version 2.0.94, version 2.0.110, version 2.0.119, version 2.0.123, version 2.0.204, version 2.0.270, version 2.0.299, all versions starting from 2.0.323 before 2.1.80",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-787",
"CWE-937"
],
"date": "2020-02-24",
"description": "MessagePack for C# and Unity has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.",
"fixed_versions": [
"1.9.11",
"2.1.90"
],
"identifier": "CVE-2020-5234",
"identifiers": [
"CVE-2020-5234",
"GHSA-7q36-4xx7-xcxf"
],
"not_impacted": "All versions starting from 1.9.3 before 2.0.94, all versions after 2.0.94 before 2.0.110, all versions after 2.0.110 before 2.0.119, all versions after 2.0.119 before 2.0.123, all versions after 2.0.123 before 2.0.204, all versions after 2.0.204 before 2.0.270, all versions after 2.0.270 before 2.0.299, all versions after 2.0.299 before 2.0.323, all versions starting from 2.1.80",
"package_slug": "nuget/MessagePack",
"pubdate": "2020-01-31",
"solution": "Upgrade to versions 1.9.11, 2.1.90 or above.",
"title": "Out-of-bounds Write",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5234",
"https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02",
"https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf",
"https://github.com/neuecc/MessagePack-CSharp/issues/810",
"https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"
],
"uuid": "ef64082b-c0f8-4040-ac8b-bc1b431a0dd1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*",
"cpe_name": [],
"versionEndExcluding": "1.9.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.94:alpha:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.110:alpha:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.119:beta:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.123:beta:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.204:beta:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.270:rc:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:2.0.299:rc:*:*:*:c\\#:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.80",
"versionStartIncluding": "2.0.323",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5234"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02"
},
{
"name": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf"
},
{
"name": "https://github.com/neuecc/MessagePack-CSharp/issues/810",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/neuecc/MessagePack-CSharp/issues/810"
},
{
"name": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-02-24T23:15Z",
"publishedDate": "2020-01-31T18:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…