CVE-2009-1255 — Sensitive Information Exposure in Memcached

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

2.1%

top 15.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Memcached Debian Memcached Memcachedb Memcached

Timeline

PublishedApr 30

Latest updateMay 2

Description

The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain sensitive information such as the locations of memory regions, and defeat ASLR protection, by sending a command to the daemon's TCP port.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDmemcachedb/memcached1.2.0+14

▶debiandebian/memcached< memcached 1.2.8-1 (bookworm)

▶Debianmemcached/memcached< 1.2.8-1+3

Patches

Patch: code.google.com ↗Patch: code.google.com ↗

🔴Vulnerability Details

GHSA

GHSA-29xr-pwpr-24h3: The process_stat function in (1) Memcached before 1↗2022-05-02

▶

OSV

CVE-2009-1255: The process_stat function in (1) Memcached before 1↗2009-04-30

▶

📋Vendor Advisories

Red Hat

memcached: multiple vulnerabilities↗2009-04-28

▶

Debian

CVE-2009-1255: memcached - The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0...↗2009

▶

💬Community

Bugzilla

CVE-2009-1255, CVE-2009-1494 memcached: multiple vulnerabilities↗2009-04-29

▶