CVE-2015-2059 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2015-2059?

CVE-2015-2059 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-2059?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Libidn, Opensuse Opensuse, Fedoraproject Fedora.

Vulnerability Description

The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Gnu	Libidn	<= 1.30
Opensuse	Opensuse	13.1
Fedoraproject	Fedora	21

Related Weaknesses (CWE)

CWE-119

References

http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279Issue TrackingPatch
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html
http://www.debian.org/security/2016/dsa-3578
http://www.openwall.com/lists/oss-security/2015/02/23/25Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/72736
http://www.ubuntu.com/usn/USN-3068-1
https://github.com/jabberd2/jabberd2/issues/85Issue TrackingPatchThird Party Advisory
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279Issue TrackingPatch
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html

FAQ

What is CVE-2015-2059?

CVE-2015-2059 is a vulnerability with a CVSS score of 7.5 (HIGH). The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 ch...

How severe is CVE-2015-2059?

CVE-2015-2059 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-2059?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Libidn, Opensuse Opensuse, Fedoraproject Fedora.