CVE-2002-1200Improper Restriction of Operations within the Bounds of a Memory Buffer in Syslog-ng

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer5 documents5 sources
Severity
7.5HIGHNVD
EPSS
6.5%
top 8.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Oneidentity Syslog-ng
Timeline
PublishedOct 28
Latest updateApr 30

Description

Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when using template filenames or output, does not properly track the size of a buffer when constant characters are encountered during macro expansion, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

Debianoneidentity/syslog-ng< 1.5.21-1+3
NVDoneidentity/syslog-ng8 versions+7

Patches

Patch: www.balabit.huPatch: www.debian.orgPatch: www.balabit.hu

🔴Vulnerability Details

3
GHSA
GHSA-rjhm-8rqf-6wp8: Balabit Syslog-NG 12022-04-30
CVEList
CVE-2002-1200: Balabit Syslog-NG 12004-09-01
OSV
CVE-2002-1200: Balabit Syslog-NG 12002-10-28

📋Vendor Advisories

1
Debian
CVE-2002-1200: syslog-ng - Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when using templ...2002
CVE-2002-1200 — Oneidentity Syslog-ng vulnerability | cvebase