CVE-2020-18032 — Classic Buffer Overflow in Graphviz

CWE-120 — Classic Buffer Overflow CWE-193 — Off-by-one Error10 documents7 sources

Severity

7.8HIGHNVD

OSV5.5

EPSS

0.5%

top 35.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Graphviz Debian Graphviz Debian Linux +29 more

Timeline

PublishedApr 29

Latest updateMar 24

Description

Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages32 packages

▶debiandebian/graphviz< graphviz 2.42.2-5 (bookworm)

▶NVDgraphviz/graphviz< 2.46.0

▶Debiangraphviz/graphviz< 2.42.2-5+3

▶Ubuntugraphviz/graphviz< 2.36.0-0ubuntu3.2+esm1+3

▶msrcmsrc/graphviz-2.42.4-5.cm1.x86_64.rpm

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

OSV

graphviz vulnerabilities↗2023-03-24

▶

GHSA

GHSA-92qh-4rf3-8x2m: Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a↗2022-05-24

▶

OSV

graphviz vulnerabilities↗2022-02-03

▶

OSV

CVE-2020-18032: Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a↗2021-04-29

▶

📋Vendor Advisories

Ubuntu

Graphviz vulnerabilities↗2023-03-24

▶

Ubuntu

Graphviz vulnerabilities↗2022-02-03

▶

Red Hat

graphviz: off-by-one in parse_reclbl() in lib/common/shapes.c↗2021-05-26

▶

Microsoft

▶

Debian

CVE-2020-18032: graphviz - Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 an...↗2020

▶