CVE-2014-8117

file: denial of service issue (resource consumption)

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.

softmagic.c en archivo anterior a 5.21 no limita adecuadamente el límite de recursividad, esto permite a atacantes remotos, provocar una denegación de servicio (consumo de CPU o rotura) mediante vectores no especificados.

A flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of system resources.

Francisco Alonso discovered that file incorrectly handled certain ELF files. An attacker could use this issue to cause file to crash, resulting in a denial of service. Thomas Jarosch discovered that file incorrectly handled certain ELF files. An attacker could use this issue to cause file to hang or crash, resulting in a denial of service. Thomas Jarosch discovered that file incorrectly limited recursion. An attacker could use this issue to cause file to hang or crash, resulting in a denial of service. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-10-10 CVE Reserved
2014-12-10 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-399: Resource Management Errors
CWE-674: Uncontrolled Recursion

CAPEC

References (16)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2015-0040.html	Third Party Advisory
http://seclists.org/oss-sec/2014/q4/1056	Mailing List
http://secunia.com/advisories/61944	Third Party Advisory
http://secunia.com/advisories/62081	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	X_refsource_confirm
http://www.securityfocus.com/bid/71692	Vdb Entry
http://www.securitytracker.com/id/1031344	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/file/file/blob/00cef282a902a4a6709bbbbb933ee397768caa38/ChangeLog	2018-01-05
https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c	2018-01-05

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2016-0760.html	2018-01-05
http://www.ubuntu.com/usn/USN-2494-1	2018-01-05
http://www.ubuntu.com/usn/USN-2535-1	2018-01-05
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc	2018-01-05
https://access.redhat.com/security/cve/CVE-2014-8117	2016-05-10
https://bugzilla.redhat.com/show_bug.cgi?id=1174606	2016-05-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
File Project Search vendor "File Project"		File Search vendor "File Project" for product "File"				<= 5.20 Search vendor "File Project" for product "File" and version " <= 5.20"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				*		-		Affected
Mageia Search vendor "Mageia"		Mageia Search vendor "Mageia" for product "Mageia"				4.0 Search vendor "Mageia" for product "Mageia" and version "4.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				10.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "10.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.10"		-		Affected