CVE-2019-14850
nbdkit: denial of service due to premature opening of back-end connection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
Se detectó una vulnerabilidad de denegación de servicio en nbdkit versiones 1.12.7, 1.14.1 y 1.15.1. Un atacante podría conectarse al servicio nbdkit y causar que hiciera una gran cantidad de trabajo en la inicialización de plugins de backend, simplemente abriendo una conexión al servicio. Esta vulnerabilidad podría causar el consumo de recursos y la degradación del servicio en nbdkit, según los plugins configurados en el lado del servidor
A denial of service vulnerability was discovered in nbdkit. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2020-04-01 CVE Published
- 2023-12-02 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1757258 | 2020-03-31 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2019-14850 | 2020-03-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nbdkit Project Search vendor "Nbdkit Project" | Nbdkit Search vendor "Nbdkit Project" for product "Nbdkit" | < 1.12.7 Search vendor "Nbdkit Project" for product "Nbdkit" and version " < 1.12.7" | - |
Affected
| ||||||
| Nbdkit Project Search vendor "Nbdkit Project" | Nbdkit Search vendor "Nbdkit Project" for product "Nbdkit" | >= 1.14.0 < 1.14.1 Search vendor "Nbdkit Project" for product "Nbdkit" and version " >= 1.14.0 < 1.14.1" | - |
Affected
| ||||||
| Nbdkit Project Search vendor "Nbdkit Project" | Nbdkit Search vendor "Nbdkit Project" for product "Nbdkit" | >= 1.15.0 < 1.15.1 Search vendor "Nbdkit Project" for product "Nbdkit" and version " >= 1.15.0 < 1.15.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Virtualization Search vendor "Redhat" for product "Virtualization" | 4.0 Search vendor "Redhat" for product "Virtualization" and version "4.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | advanced_virtualization |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Affected
| ||||||