CVE-2013-7424 - Vulnerability Details - OpenCVE

The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnu	Glibc
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
glibc-0:2.5-123.el5_11.3	cpe:/o:redhat:enterprise_linux:5	RHSA-2015:1627	2015-08-17T00:00:00Z
Red Hat Enterprise Linux 6
glibc-0:2.12-1.149.el6	cpe:/o:redhat:enterprise_linux:6	RHSA-2014:1391	2014-10-13T00:00:00Z

References

Link	Providers
http://rhn.redhat.com/errata/RHSA-2015-1627.html
http://www.openwall.com/lists/oss-security/2015/01/29/21
http://www.securityfocus.com/bid/72710
https://bugzilla.redhat.com/show_bug.cgi?id=1186614
https://bugzilla.redhat.com/show_bug.cgi?id=981942
https://nvd.nist.gov/vuln/detail/CVE-2013-7424
https://sourceware.org/bugzilla/show_bug.cgi?id=18011
https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=2e96f1c7
https://www.cve.org/CVERecord?id=CVE-2013-7424

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-08-26T19:00:00

Updated: 2024-08-06T18:09:16.606Z

Reserved: 2015-01-29T00:00:00

Link: CVE-2013-7424

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-08-26T19:59:00.110

Modified: 2024-11-21T02:00:58.303

Link: CVE-2013-7424

Redhat

Severity : Moderate

Publid Date: 2015-01-27T00:00:00Z

Links: CVE-2013-7424 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-07-07T00:00:00", "descriptions": [{"lang": "en", "value": "The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614"}, {"name": "[oss-security] 20150129 Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/29/21"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=2e96f1c7"}, {"name": "RHSA-2015:1627", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1627.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=981942"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18011"}, {"name": "72710", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72710"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7424", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614"}, {"name": "[oss-security] 20150129 Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/29/21"}, {"name": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7", "refsource": "CONFIRM", "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7"}, {"name": "RHSA-2015:1627", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1627.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=981942", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=981942"}, {"name": "https://sourceware.org/bugzilla/show_bug.cgi?id=18011", "refsource": "CONFIRM", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18011"}, {"name": "72710", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72710"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:09:16.606Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614"}, {"name": "[oss-security] 20150129 Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/29/21"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=2e96f1c7"}, {"name": "RHSA-2015:1627", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1627.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=981942"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18011"}, {"name": "72710", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72710"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7424", "datePublished": "2015-08-26T19:00:00", "dateReserved": "2015-01-29T00:00:00", "dateUpdated": "2024-08-06T18:09:16.606Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9A789ED-8F21-4477-A7E6-5018A4AB15BE", "versionEndIncluding": "2.14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6."}, {"lang": "es", "value": "Vulnerabilidad en la funci\u00f3n getaddrinfo en glibc en versiones anteriores a 2.15, cuando es compilado con libidn y es utilizado el indicador AI_IDN, permite a atacantes dependientes de contexto provocar una denegaci\u00f3n de servicio (liberaci\u00f3n de memoria no v\u00e1lida) y posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados, seg\u00fan lo demostrado en un nombre de dominio internacionalizado para ping6."}], "id": "CVE-2013-7424", "lastModified": "2024-11-21T02:00:58.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-26T19:59:00.110", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1627.html"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/01/29/21"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/72710"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=981942"}, {"source": "cve@mitre.org", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18011"}, {"source": "cve@mitre.org", "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=2e96f1c7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1627.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/01/29/21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/72710"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=981942"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18011"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=2e96f1c7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-17"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:1627", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "glibc-0:2.5-123.el5_11.3", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2015-08-17T00:00:00Z"}, {"advisory": "RHSA-2014:1391", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "glibc-0:2.12-1.149.el6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2014-10-13T00:00:00Z"}], "bugzilla": {"description": "glibc: Invalid-free when using getaddrinfo()", "id": "1186614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186614"}, "csaw": false, "cvss": {"cvss_base_score": "5.1", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status": "verified"}, "details": ["The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6.", "An invalid free flaw was found in glibc's getaddrinfo() function when used with the AI_IDN flag. A remote attacker able to make an application call this function could use this flaw to execute arbitrary code with the permissions of the user running the application. Note that this flaw only affected applications using glibc compiled with libidn support."], "name": "CVE-2013-7424", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:rhel_eus:5.6", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux Extended Update Support 5.6"}, {"cpe": "cpe:/o:redhat:rhel_eus:5.9", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux Extended Update Support 5.9"}, {"cpe": "cpe:/o:redhat:rhel_eus:6.2", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux Extended Update Support 6.2"}, {"cpe": "cpe:/o:redhat:rhel_eus:6.4", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux Extended Update Support 6.4"}, {"cpe": "cpe:/o:redhat:rhel_eus:6.5", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux Extended Update Support 6.5"}], "public_date": "2015-01-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-7424\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-7424"], "threat_severity": "Moderate"}