CVE-2019-5152 — Missing Authentication for Critical Function in Shadowsocks-libev

CWE-306 — Missing Authentication for Critical Function5 documents5 sources
Severity
7.4HIGHNVD
EPSS
0.3%
top 43.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Shadowsocks Shadowsocks-libev
Timeline
PublishedDec 18
Latest updateMay 24

Description

An exploitable information disclosure vulnerability exists in the network packet handling functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher, a specially crafted set of network packets can cause an outbound connection from the server, resulting in information disclosure. An attacker can send arbitrary packets to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-pmr7-f238-jxqj: An exploitable information disclosure vulnerability exists in the network packet handling functionality of Shadowsocks-libev 3↗2022-05-24
â–¶
CVEList
CVE-2019-5152: An exploitable information disclosure vulnerability exists in the network packet handling functionality of Shadowsocks-libev 3↗2019-12-18
â–¶
OSV
CVE-2019-5152: An exploitable information disclosure vulnerability exists in the network packet handling functionality of Shadowsocks-libev 3↗2019-12-18
â–¶

📋Vendor Advisories

1
Debian
CVE-2019-5152: shadowsocks-libev - An exploitable information disclosure vulnerability exists in the network packet...↗2019
â–¶
CVE-2019-5152 — Shadowsocks-libev vulnerability | cvebase