CVE-2020-7044 — Out-of-bounds Read in Wireshark

CWE-125 — Out-of-bounds Read CWE-193 — Off-by-one Error CWE-74 — Injection CWE-20 — Improper Input Validation CWE-347 — Improper Verification of Cryptographic Signature9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark Fedoraproject Fedora Opensuse Leap +2 more

Timeline

PublishedJan 16

Latest updateMay 24

Description

In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This was addressed in epan/dissectors/packet-wassp.c by using >= and <= to resolve off-by-one errors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDwireshark/wireshark3.2.0 — 3.2.1

▶Debianwireshark/wireshark< 3.2.1-1+3

▶NVDopensuse/leap15.1

▶NVDoracle/solaris11

▶NVDoracle/zfs_storage_appliance_kit8.8

Also affects: Fedora 30, 31, 32

Patches

Patch: bugs.wireshark.org ↗Patch: www.oracle.com ↗Patch: bugs.wireshark.org ↗

🔴Vulnerability Details

GHSA

GHSA-454x-hmf4-97vq: In Wireshark 3↗2022-05-24

▶

OSV

CVE-2020-7044: In Wireshark 3↗2020-01-16

▶

CVEList

CVE-2020-7044: In Wireshark 3↗2020-01-16

▶

📋Vendor Advisories

Red Hat

perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files↗2021-11-23

▶

Red Hat

wireshark: WASSP dissector crash (wnpa-sec-2020-01)↗2020-01-15

▶

Debian

CVE-2020-7044: wireshark - In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This was addre...↗2020

▶

💬Community

Bugzilla

CVE-2020-7044 wireshark: WASSP dissector crash (wnpa-sec-2020-01)↗2020-01-30

▶

Bugzilla

CVE-2020-7044 wireshark: WASSP dissector crash (wnpa-sec-2020-01) [fedora-all]↗2020-01-30

▶