Vulnerability Name:

CVE-2019-14850 (CCN-178959)

Assigned:2019-09-20
Published:2019-09-20
Updated:2021-03-24
Summary:A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
CVSS v3 Severity:3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.2 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
3.7 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.2 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-406
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-14850

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1757258

Source: CCN
Type: Red Hat Bugzilla – Bug 1757258
CVE-2019-14850 nbdkit: denial of service due to premature opening of back-end connection

Source: XF
Type: UNKNOWN
libguestfs-cve201914850-dos(178959)

Source: CCN
Type: nbdkit GIT Repository
nbdkit

Source: MISC
Type: Exploit, Mailing List, Third Party Advisory
https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:* (Version < 1.12.7)
  • OR cpe:/a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:* (Version >= 1.14.0 and < 1.14.1)
  • OR cpe:/a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:* (Version >= 1.15.0 and < 1.15.1)

  • Configuration 2:
  • cpe:/a:redhat:virtualization:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:x86_64:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20201167
    P
    RHSA-2020:1167: nbdkit security and bug fix update (Low)
    2020-03-31
    oval:com.ubuntu.disco:def:2019148500000000
    V
    CVE-2019-14850 on Ubuntu 19.04 (disco) - medium.
    2019-10-02
    oval:com.ubuntu.xenial:def:2019148500000000
    V
    CVE-2019-14850 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-10-02
    BACK
    nbdkit_project nbdkit *
    nbdkit_project nbdkit *
    nbdkit_project nbdkit *
    redhat virtualization 4.0
    redhat enterprise linux 8.0
    redhat enterprise linux 8.0
    redhat enterprise linux server 7.0
    redhat enterprise linux server 7