PT-2021-8984 · Nbdkit+2 · Nbdkit+2

Doran Moppert

Published

2020-03-31

Updated

2021-03-24

CVE-2019-14850

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions nbdkit versions 1.12.7, 1.14.1, 1.15.1

Description A denial of service issue was discovered in nbdkit. An attacker could connect to the nbdkit service, causing it to perform a large amount of work in initializing backend plugins by simply opening a connection to the service. This could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.

Recommendations For version 1.12.7, update to a version that fixes this issue. For version 1.14.1, update to a version that fixes this issue. For version 1.15.1, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the nbdkit service to minimize the risk of exploitation.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-406

Related Identifiers

CESA-2020_1167

CVE-2019-14850

RHSA-2020:1167

RHSA-2020_1167

Affected Products

Centos

Red Hat

Nbdkit

PT-2021-8984 · Nbdkit+2 · Nbdkit+2

CVE-2019-14850

Weakness Enumeration

Related Identifiers

Affected Products

References · 17