CVE-2021-3502Reachable Assertion in Avahi

CWE-617Reachable AssertionCWE-476NULL Pointer Dereference9 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 90.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
AvahiDebian AvahiMsrc Azl3 Avahi 0.8-1 ON Azure Linux 3.0+3 more
Timeline
PublishedMay 7
Latest updateMay 24

Description

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

debiandebian/avahi< avahi 0.8-6 (bookworm)
Debianavahi/avahi< 0.8-5+deb11u1+3
Ubuntuavahi/avahi< 0.7-3.1ubuntu1.3+1
NVDavahi/avahi0.8-5

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-mw7q-3wxj-rqfx: A flaw was found in avahi 02022-05-24
OSV
avahi vulnerabilities2021-07-07
OSV
CVE-2021-3502: A flaw was found in avahi 02021-05-07

📋Vendor Advisories

5
Ubuntu
Avahi vulnerabilities2021-07-07
Red Hat
avahi: local DoS against avahi-daemon via D-Bus interface2021-07-07
Microsoft
A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions t2021-05-11
Red Hat
avahi: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames2021-03-29
Debian
CVE-2021-3502: avahi - A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_hos...2021