CVE-2019-3804 — Missing Initialization of Resource in Cockpit

CWE-909 — Missing Initialization of Resource8 documents7 sources

Severity

7.5HIGHNVD

EPSS

4.3%

top 11.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Agentejo Cockpit Cockpit-project Cockpit Redhat Virtualization

Timeline

PublishedMar 26

Latest updateMay 13

Description

It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDcockpit-project/cockpit< 184

▶Debianagentejo/cockpit< 184-1+3

▶NVDredhat/virtualization4.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-gpg2-6gwq-vf2g: It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack↗2022-05-13

▶

OSV

CVE-2019-3804: It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack↗2019-03-26

▶

CVEList

CVE-2019-3804: It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack↗2019-03-26

▶

📋Vendor Advisories

Debian

CVE-2019-3804: cockpit - It was found that cockpit before version 184 used glib's base64 decode functiona...↗2019

▶

Red Hat

cockpit: Crash when parsing invalid base64 headers↗2018-12-13

▶

💬Community

Bugzilla

CVE-2019-3804 cockpit: Crash when parsing invalid base64 headers [fedora-all]↗2019-01-07

▶

Bugzilla

CVE-2019-3804 cockpit: Crash when parsing invalid base64 headers↗2019-01-04

▶