CVE-2021-22207 — Allocation of Resources Without Limits or Throttling in Wireshark

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-89 — SQL Injection7 documents7 sources

Severity

6.5MEDIUMNVD

CNA5.5

EPSS

0.5%

top 35.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark THE Wireshark Foundation Wireshark Debian Linux +2 more

Timeline

PublishedApr 23

Latest updateMay 24

Description

Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Debianwireshark/wireshark< 3.4.10-0+deb11u1+3

▶NVDwireshark/wireshark3.2.0 — 3.2.12+1

▶CVEListV5the_wireshark_foundation/wireshark>=3.2.0, <3.2.13, >=3.4.0, <3.4.5+1

▶NVDoracle/zfs_storage_appliance_kit8.8

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-r33p-r743-5j75: Excessive memory consumption in MS-WSP dissector in Wireshark 3↗2022-05-24

▶

CVEList

CVE-2021-22207: Excessive memory consumption in MS-WSP dissector in Wireshark 3↗2021-04-23

▶

OSV

CVE-2021-22207: Excessive memory consumption in MS-WSP dissector in Wireshark 3↗2021-04-23

▶

📋Vendor Advisories

Red Hat

wireshark: MS-WSP dissector excessive memory consumption↗2021-04-21

▶

Microsoft

Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file↗2021-04-13

▶

Debian

CVE-2021-22207: wireshark - Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and...↗2021

▶