CVE-2019-5163Missing Authentication for Critical Function in Shadowsocks-libev

CWE-306Missing Authentication for Critical FunctionCWE-327Use of a Broken or Risky Cryptographic Algorithm6 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 34.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Shadowsocks Shadowsocks-libevOpensuse BackportsOpensuse Leap
Timeline
PublishedDec 3
Latest updateMay 24

Description

An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

Debianshadowsocks/shadowsocks-libev< 3.3.3+ds-2+3
NVDopensuse/leap15.1
NVDopensuse/backportssle-15

🔴Vulnerability Details

3
GHSA
GHSA-vc3w-rpc8-4w8g: An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 32022-05-24
OSV
CVE-2019-5163: An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 32019-12-03
CVEList
CVE-2019-5163: An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 32019-12-03

📋Vendor Advisories

1
Debian
CVE-2019-5163: shadowsocks-libev - An exploitable denial-of-service vulnerability exists in the UDPRelay functional...2019

💬Community

1
Bugzilla
CVE-2019-3826 prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL2019-02-06
CVE-2019-5163 — Shadowsocks-libev vulnerability | cvebase