{ "threat_severity" : "Moderate", "public_date" : "2019-05-21T00:00:00Z", "bugzilla" : { "description" : "wireshark: missing dissection recursion checks leads to denial of service", "id" : "1831675", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1831675" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-674", "details" : [ "In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion." ], "statement" : "During testing we could not reproduce this issue (with a default stack size and the binaries as shipped in our products). It's possible that this issue only manifests itself when using binaries compiled with address sanitizer, which can dramatically increase stack usage. Yet, it also can't be entirely ruled out that there may be a way to exploit this using a method currently unknown to us, thus, this has an impact of Moderate.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "wireshark", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "wireshark", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "wireshark", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "wireshark", "cpe" : "cpe:/o:redhat:enterprise_linux:8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-12295\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12295\nhttps://www.wireshark.org/security/wnpa-sec-2019-19.html" ], "name" : "CVE-2019-12295", "csaw" : false }