CVE-2015-1822 — Missing Initialization of a Variable in Chrony

CWE-17 CWE-456 — Missing Initialization of a Variable9 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

2.1%

top 15.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tuxfamily Chrony Debian Linux

Timeline

PublishedApr 16

Latest updateMay 17

Description

chrony before 1.31.1 does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶Debiantuxfamily/chrony< 1.30-2+3

▶NVDtuxfamily/chrony1.31

Also affects: Debian Linux 7.0

Patches

Patch: listengine.tuxfamily.org ↗Patch: listengine.tuxfamily.org ↗

🔴Vulnerability Details

GHSA

GHSA-rchf-p2rm-hg6h: chrony before 1↗2022-05-17

▶

OSV

CVE-2015-1822: chrony before 1↗2015-04-16

▶

CVEList

CVE-2015-1822: chrony before 1↗2015-04-16

▶

📋Vendor Advisories

Red Hat

chrony: uninitialized pointer in cmdmon reply slots↗2015-04-07

▶

Debian

CVE-2015-1822: chrony - chrony before 1.31.1 does not initialize the last "next" pointer when saving una...↗2015

▶

💬Community

Bugzilla

CVE-2015-1822 CVE-2015-1821 chrony: various flaws [fedora-all]↗2015-04-07

▶

Bugzilla

CVE-2015-1822 chrony: uninitialized pointer in cmdmon reply slots↗2015-04-07

▶

Bugzilla

CVE-2015-1822 CVE-2015-1821 chrony: various flaws [epel-all]↗2015-04-07

▶