CVE-2021-40403

Debian Security Advisory 5306-1

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. A specially-crafted pick-and-place file can exploit the missing initialization of a structure to leak memory contents. An attacker can provide a malicious file to trigger this vulnerability.

Se presenta una vulnerabilidad de divulgación de información en la funcionalidad pick-and-place rotation parsing de Gerbv versiones 2.7.0 y dev (commit b5f1eacd), y Gerbv forked versión 2.8.0. Un archivo pick-and-place especialmente diseñado puede explotar la falta de inicialización de una estructura para perder el contenido de la memoria. Un atacante puede proporcionar un archivo malicioso para desencadenar esta vulnerabilidad

Several vulnerabilities were discovered in gerbv, a Gerber file viewer, which could result in the execution of arbitrary code, denial of service or information disclosure if a specially crafted file is processed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-09-01 CVE Reserved
2022-02-04 CVE Published
2025-03-30 EPSS Updated
2025-04-15 CVE Updated
2025-04-15 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-456: Missing Initialization of a Variable
CWE-909: Missing Initialization of Resource

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1417	2025-04-15

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTGBC37N2FV7NKOWFVCFMPAFYEPHSB7C	2023-11-07
https://www.debian.org/security/2022/dsa-5306	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gerbv Project Search vendor "Gerbv Project"		Gerbv Search vendor "Gerbv Project" for product "Gerbv"				2.7.0 Search vendor "Gerbv Project" for product "Gerbv" and version "2.7.0"		-		Affected
Gerbv Project Search vendor "Gerbv Project"		Gerbv Search vendor "Gerbv Project" for product "Gerbv"				2.8.0 Search vendor "Gerbv Project" for product "Gerbv" and version "2.8.0"		forked_dev		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected