CVE Vulnerabilities

CVE-2019-13113

Reachable Assertion

Published: Jun 30, 2019 | Modified: Nov 07, 2023
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
3.3 LOW
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM

Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file.

Weakness

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Affected Software

Name Vendor Start Version End Version
Exiv2 Exiv2 * 0.27.1 (including)
Red Hat Enterprise Linux 8 RedHat exiv2-0:0.27.2-5.el8 *
Red Hat Enterprise Linux 8 RedHat gegl-0:0.2.0-39.el8 *
Red Hat Enterprise Linux 8 RedHat gnome-color-manager-0:3.28.0-3.el8 *
Red Hat Enterprise Linux 8 RedHat libgexiv2-0:0.10.8-4.el8 *
Exiv2 Ubuntu bionic *
Exiv2 Ubuntu cosmic *
Exiv2 Ubuntu devel *
Exiv2 Ubuntu disco *
Exiv2 Ubuntu esm-infra/bionic *
Exiv2 Ubuntu esm-infra/xenial *
Exiv2 Ubuntu trusty *
Exiv2 Ubuntu xenial *

Extended Description

While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.

Potential Mitigations

References