CVE-2008-2009 — Cross-site Scripting in Libvorbis

CWE-79 — Cross-site Scripting51 documents10 sources

Severity

4.3MEDIUMNVD

EPSS

4.3%

top 11.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xiph.org Libvorbis Canonical Ubuntu Linux

Timeline

PublishedMay 16

Latest updateMay 1

Description

Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶Debianxiph.org/libvorbis< 1.2.0.dfsg-4+3

▶NVDxiph.org/libvorbis1.0

Also affects: Ubuntu Linux 8.04, 8.10, 9.04, 9.10

🔴Vulnerability Details

GHSA

GHSA-m3p3-975g-rc2v: Xiph↗2022-05-01

▶

CVEList

CVE-2008-2009: Xiph↗2008-05-16

▶

OSV

CVE-2008-2009: Xiph↗2008-05-16

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)↗2010-07-03

▶

Exploit-DB

Joomla! Component Jobline 1.3.1 - Blind SQL Injection↗2009-07-17

▶

Exploit-DB

FreeBSD 7.0/7.1 - 'vfs.usermount' Local Privilege Escalation↗2009-07-09

▶

Exploit-DB

Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)↗2009-03-23

▶

Exploit-DB

Apple Mac OSX xnu 1228.3.13 - 'macfsstat' Local Kernel Memory Leak/Denial of Service↗2009-03-23

▶

📋Vendor Advisories

Red Hat

dbus: invalid signatures verified as valid due to improper fix for CVE-2008-3834↗2015-02-06

▶

Ubuntu

libvorbis vulnerabilities↗2009-11-24

▶

Red Hat

pidgin incomplete fix for CVE-2008-2927↗2009-05-02

▶

Red Hat

libnasl: OpenSSL incorrect checks for malformed signatures↗2009-01-11

▶

Red Hat

ntp incorrectly checks for malformed signatures↗2009-01-07

▶

💬Community

Bugzilla

CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function↗2010-06-02

▶

Bugzilla

CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation↗2010-06-02

▶

Bugzilla

CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]↗2009-11-09

▶

Bugzilla

CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ghostscript various flaws [F9]↗2009-04-15

▶

Bugzilla

CVE-2008-4437 CVE-2008-6098, CVE-2009-048[13456] bugzilla: multiple issues [F10]↗2009-02-09

▶