CVE-2019-12816 — Improper Input Validation in ZNC

CWE-20 — Improper Input Validation8 documents6 sources

Severity

8.8HIGHNVD

EPSS

2.7%

top 14.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ZNC Debian ZNC

Timeline

PublishedJun 15

Latest updateMay 24

Description

Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/znc< znc 1.7.2-3 (bookworm)

▶Debianznc/znc< 1.7.2-3+3

▶NVDznc/znc1.7.3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fvh5-rgvr-c634: Modules↗2022-05-24

▶

OSV

CVE-2019-12816: Modules↗2019-06-15

▶

📋Vendor Advisories

Ubuntu

ZNC vulnerability↗2019-07-01

▶

Debian

CVE-2019-12816: znc - Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users ...↗2019

▶

💬Community

Bugzilla

CVE-2019-12816 znc: invalid encoding leading to remote code execution [epel-7]↗2019-07-02

▶

Bugzilla

CVE-2019-12816 znc: invalid encoding leading to remote code execution↗2019-07-02

▶

Bugzilla

CVE-2019-12816 znc: invalid encoding leading to remote code execution [fedora-all]↗2019-07-02

▶