Vulnerability Name:

CVE-2019-9917 (CCN-158913)

Assigned:2019-03-15
Published:2019-03-15
Updated:2019-06-15
Summary:ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial of Service (crash) via invalid encoding.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-9917

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2019:1775

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2019:1859

Source: XF
Type: UNKNOWN
znc-cve20199917-dos(158913)

Source: CCN
Type: ZNC GIT Repository
Don't crash if user specified invalid encoding

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/znc/znc/commit/64613bc8b6b4adf1e32231f9844d99cd512b8973

Source: FEDORA
Type: Issue Tracking, Release Notes, Third Party Advisory
FEDORA-2019-8790e70a89

Source: FEDORA
Type: Issue Tracking, Release Notes, Third Party Advisory
FEDORA-2019-64ed5e4dfa

Source: FEDORA
Type: Issue Tracking, Release Notes, Third Party Advisory
FEDORA-2019-d5ad4a435c

Source: BUGTRAQ
Type: UNKNOWN
20190617 [SECURITY] [DSA 4463-1] znc security update

Source: UBUNTU
Type: Third Party Advisory
USN-3950-1

Source: DEBIAN
Type: UNKNOWN
DSA-4463

Vulnerable Configuration:Configuration 1:
  • cpe:/a:znc:znc:*:*:*:*:*:*:*:* (Version <= 1.7.2)

    • Configuration 2:
  • cpe:/o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:28:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:znc:znc:1.7.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20199917
    V
    		CVE-2019-9917
    2022-06-30
    oval:org.opensuse.security:def:113626
    P
    		znc-1.8.2-1.11 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:93430
    P
    		 (Important)
    2021-12-01
    oval:org.opensuse.security:def:107008
    P
    		znc-1.8.2-1.11 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:62832
    P
    		texlive-collection-basic-2017.135.svn41616-9.12.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62352
    P
    		xalan-j2-2.7.2-9.64 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63034
    P
    		perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62353
    P
    		xdg-utils-1.1.3+20190413-1.24 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:74287
    P
    		Security update for gdk-pixbuf (Moderate)
    2021-01-21
    oval:org.opensuse.security:def:63398
    P
    		jakarta-commons-fileupload-1.1.1-2.82 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62376
    P
    		docker-19.03.5_ce-6.31.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63172
    P
    		nginx-1.14.0-1.14 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62553
    P
    		libgxps-devel-0.3.0-4.3.29 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:25064
    P
    		Security update for qemu (Important)
    2020-12-01
    oval:org.opensuse.security:def:64221
    P
    		btrfsmaintenance on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63859
    P
    		Security update for systemd (Important)
    2020-12-01
    oval:org.opensuse.security:def:25272
    P
    		Security update for vino (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25704
    P
    		Security update for ppp (Important)
    2020-12-01
    oval:org.opensuse.security:def:25413
    P
    		Security update for ucode-intel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25762
    P
    		Security update for Xerces-C (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25616
    P
    		Security update for less (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25000
    P
    		Security update for rsyslog (Important)
    2020-12-01
    oval:org.opensuse.security:def:26435
    P
    		Security update for znc (Low)
    2020-12-01
    oval:org.opensuse.security:def:64109
    P
    		Security update for bluez (Important)
    2020-12-01
    oval:org.opensuse.security:def:63725
    P
    		Security update for elfutils (Low)
    2020-12-01
    oval:org.opensuse.security:def:25191
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:24989
    P
    		Security update for bzip2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:74161
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:63965
    P
    		Security update for ceph (Important)
    2020-12-01
    oval:org.opensuse.security:def:25329
    P
    		Security update for spice-gtk (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25718
    P
    		Security update for java-1_7_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:25563
    P
    		Security update for xrdp (Important)
    2020-12-01
    oval:org.opensuse.security:def:26400
    P
    		Security update for Chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:64067
    P
    		Security update for libX11 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:100143
    P
    		Security update for znc (Important)
    2019-08-13
    oval:org.opensuse.security:def:109911
    P
    		Security update for znc (Important)
    2019-07-21
    oval:com.ubuntu.xenial:def:201999170000000
    V
    		CVE-2019-9917 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-03-27
    oval:com.ubuntu.bionic:def:20199917000
    V
    		CVE-2019-9917 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-03-27
    oval:com.ubuntu.cosmic:def:20199917000
    V
    		CVE-2019-9917 on Ubuntu 18.10 (cosmic) - medium.
    2019-03-27
    oval:com.ubuntu.cosmic:def:201999170000000
    V
    		CVE-2019-9917 on Ubuntu 18.10 (cosmic) - medium.
    2019-03-27
    oval:com.ubuntu.trusty:def:20199917000
    V
    		CVE-2019-9917 on Ubuntu 14.04 LTS (trusty) - medium.
    2019-03-27
    oval:com.ubuntu.bionic:def:201999170000000
    V
    		CVE-2019-9917 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-03-27
    oval:com.ubuntu.xenial:def:20199917000
    V
    		CVE-2019-9917 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-03-27
    BACK
    znc znc *
    canonical ubuntu linux 18.10
    fedoraproject fedora 28
    fedoraproject fedora 29
    fedoraproject fedora 30
    znc znc 1.7.2