CVE-2024-47249 — Improper Validation of Array Index in Apache Nimble

CWE-129 — Improper Validation of Array Index3 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.0%

top 94.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nimble Apache Software Foundation Apache Nimble

Timeline

PublishedNov 26

Description

Improper Validation of Array Index vulnerability in Apache NimBLE. Lack of input validation for HCI events from controller could result in out-of-bound memory corruption and crash. This issue requires broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.7.0. Users are recommended to upgrade to version 1.8.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages2 packages

▶NVDapache/nimble< 1.8.0

▶CVEListV5apache_software_foundation/apache_nimble1.7.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fw6g-5qw9-p3mx: Improper Validation of Array Index vulnerability in Apache NimBLE↗2024-11-26

▶

CVEList

Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in multiple advertisement handler↗2024-11-26

▶