CVE Vulnerabilities

CVE-2023-32636

Uncontrolled Resource Consumption

Published: Sep 14, 2023 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.2 LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Glib Gnome * 2.74.4 (excluding)
Red Hat Enterprise Linux 9 RedHat mingw-glib2-0:2.78.0-1.el9 *
Glib2.0 Ubuntu bionic *
Glib2.0 Ubuntu esm-infra-legacy/trusty *
Glib2.0 Ubuntu esm-infra/bionic *
Glib2.0 Ubuntu esm-infra/focal *
Glib2.0 Ubuntu esm-infra/xenial *
Glib2.0 Ubuntu focal *
Glib2.0 Ubuntu jammy *
Glib2.0 Ubuntu kinetic *
Glib2.0 Ubuntu trusty *
Glib2.0 Ubuntu trusty/esm *
Glib2.0 Ubuntu upstream *
Glib2.0 Ubuntu xenial *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References