Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

None

Attack Vector

Network

0

CVE-2019-12900

Disclosure Date: June 19, 2019 •

CVE-2019-12900 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

bzip,
canonical,
debian,
freebsd,
opensuse,
python

Products

bzip2,
debian linux 8.0,
freebsd 11.2,
freebsd 11.3,
freebsd 12.0,
leap 15.0,
leap 15.1,
python,
ubuntu linux 12.04,
ubuntu linux 14.04,
ubuntu linux 16.04,
ubuntu linux 18.04,
ubuntu linux 19.04

References

Canonical

CVE-2019-12900 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900)

Advisory

[debian-lts-announce] 20190624 [SECURITY] [DLA 1833-1] bzip2 security update (https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html)

USN-4038-2 (https://usn.ubuntu.com/4038-2)

USN-4038-1 (https://usn.ubuntu.com/4038-1)

20190715 [slackware-security] bzip2 (SSA:2019-195-01) (https://seclists.org/bugtraq/2019/Jul/22)

[debian-lts-announce] 20190718 [SECURITY] [DLA 1833-2] bzip2 regression update (https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html)

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html

20190806 FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2 (https://seclists.org/bugtraq/2019/Aug/4)

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html

USN-4146-1 (https://usn.ubuntu.com/4146-1)

USN-4146-2 (https://usn.ubuntu.com/4146-2)

[debian-lts-announce] 20191010 [SECURITY] [DLA 1953-1] clamav security update (https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html)

[debian-lts-announce] 20191014 [SECURITY] [DLA 1953-2] clamav regression update (https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html)

https://support.f5.com/csp/article/K68713584?utm_source=f5support&utm_medium=RSS

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html

http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html

[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka (https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E)

USN-4038-2 (https://usn.ubuntu.com/4038-2/)

USN-4038-1 (https://usn.ubuntu.com/4038-1/)

USN-4146-1 (https://usn.ubuntu.com/4146-1/)

USN-4146-2 (https://usn.ubuntu.com/4146-2/)

[flink-user] 20210716 Flink 1.13.1 - Vulnerabilities CVE-2019-12900 for librocksdbjni (https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4@%3Cuser.flink.apache.org%3E)

[flink-user] 20210717 Re: Flink 1.13.1 - Vulnerabilities CVE-2019-12900 for librocksdbjni (https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774@%3Cuser.flink.apache.org%3E)

Miscellaneous

https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc

http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html

https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc

http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Rapid7

Technical Analysis