{ "threat_severity" : "Low", "public_date" : "2019-03-08T00:00:00Z", "bugzilla" : { "description" : "vixie-cron: calloc return value resulting in remote dos", "id" : "1687688", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1687688" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "draft" }, "cwe" : "CWE-400", "details" : [ "Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.", "A vulnerability was found in the Vixie Cron package, caused by improper validation of the return value from the calloc function. A local attacker could exploit this flaw by using a specially crafted crontab file, resulting in a denial of service condition and potentially crashing the service." ], "statement" : "This vulnerability was rated as LOW severity because it requires local access and a specially crafted crontab file to exploit. While it does not lead to system compromise, it can cause the cron service to crash temporarily", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "vixie-cron", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "cronie", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "cronie", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "cronie", "cpe" : "cpe:/o:redhat:enterprise_linux:8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-9704\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9704" ], "name" : "CVE-2019-9704", "csaw" : false }