CVE-2013-7239

memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials.

CVSS v2.0 4.8 MEDIUM

4.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 6.5 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://seclists.org/oss-sec/2013/q4/572
http://secunia.com/advisories/56183	Vendor Advisory
http://www.debian.org/security/2014/dsa-2832
http://www.securityfocus.com/bid/64559
http://www.ubuntu.com/usn/USN-2080-1
https://code.google.com/p/memcached/wiki/ReleaseNotes1417	Patch
http://seclists.org/oss-sec/2013/q4/572
http://secunia.com/advisories/56183	Vendor Advisory
http://www.debian.org/security/2014/dsa-2832
http://www.securityfocus.com/bid/64559
http://www.ubuntu.com/usn/USN-2080-1
https://code.google.com/p/memcached/wiki/ReleaseNotes1417	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:memcached:memcached::::::::
	cpe:2.3:a:memcached:memcached:1.4.0:::::::*
	cpe:2.3:a:memcached:memcached:1.4.1:::::::*
	cpe:2.3:a:memcached:memcached:1.4.2:::::::*
	cpe:2.3:a:memcached:memcached:1.4.3:::::::*
	cpe:2.3:a:memcached:memcached:1.4.4:::::::*
	cpe:2.3:a:memcached:memcached:1.4.5:::::::*
	cpe:2.3:a:memcached:memcached:1.4.6:::::::*
	cpe:2.3:a:memcached:memcached:1.4.7:::::::*
	cpe:2.3:a:memcached:memcached:1.4.8:::::::*
	cpe:2.3:a:memcached:memcached:1.4.9:::::::*
	cpe:2.3:a:memcached:memcached:1.4.10:::::::*
	cpe:2.3:a:memcached:memcached:1.4.11:::::::*
	cpe:2.3:a:memcached:memcached:1.4.12:::::::*
	cpe:2.3:a:memcached:memcached:1.4.13:::::::*
	cpe:2.3:a:memcached:memcached:1.4.14:::::::*
	cpe:2.3:a:memcached:memcached:1.4.15:::::::*

History

21 Nov 2024, 02:00

Type	Values Removed	Values Added
References	~~() http://seclists.org/oss-sec/2013/q4/572 -~~	() http://seclists.org/oss-sec/2013/q4/572 -
References	~~() http://secunia.com/advisories/56183 - Vendor Advisory~~	() http://secunia.com/advisories/56183 - Vendor Advisory
References	~~() http://www.debian.org/security/2014/dsa-2832 -~~	() http://www.debian.org/security/2014/dsa-2832 -
References	~~() http://www.securityfocus.com/bid/64559 -~~	() http://www.securityfocus.com/bid/64559 -
References	~~() http://www.ubuntu.com/usn/USN-2080-1 -~~	() http://www.ubuntu.com/usn/USN-2080-1 -
References	~~() https://code.google.com/p/memcached/wiki/ReleaseNotes1417 - Patch~~	() https://code.google.com/p/memcached/wiki/ReleaseNotes1417 - Patch

Information

Published : 2014-01-13 21:55

Updated : 2025-04-11 00:51

NVD link : CVE-2013-7239

Mitre link : CVE-2013-7239

CVE.ORG link : CVE-2013-7239

JSON object : View

Products Affected

memcached

memcached

CWE

CWE-287

Improper Authentication

{"id": "CVE-2013-7239", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-01-13T21:55:05.230", "references": [{"url": "http://seclists.org/oss-sec/2013/q4/572", "source": "security@debian.org"}, {"url": "http://secunia.com/advisories/56183", "tags": ["Vendor Advisory"], "source": "security@debian.org"}, {"url": "http://www.debian.org/security/2014/dsa-2832", "source": "security@debian.org"}, {"url": "http://www.securityfocus.com/bid/64559", "source": "security@debian.org"}, {"url": "http://www.ubuntu.com/usn/USN-2080-1", "source": "security@debian.org"}, {"url": "https://code.google.com/p/memcached/wiki/ReleaseNotes1417", "tags": ["Patch"], "source": "security@debian.org"}, {"url": "http://seclists.org/oss-sec/2013/q4/572", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/56183", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.debian.org/security/2014/dsa-2832", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/64559", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ubuntu.com/usn/USN-2080-1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://code.google.com/p/memcached/wiki/ReleaseNotes1417", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials."}, {"lang": "es", "value": "memcached anterior 1.4.17 permite a atacantes remotos evadir la autenticaci\u00f3n mediante el env\u00edo de una petici\u00f3n inv\u00e1lida con credenciales SASL, luego enviar otra petici\u00f3n con credenciales SASL incorrectas."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BC2D838-BD98-438F-8B8A-C2C26E129E63", "versionEndIncluding": "1.4.16"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D6D790C-560B-460F-A175-B47A5AFAA9F3"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "358D87E0-9392-4C00-94CE-C14BC408BCF9"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE58473C-3D01-4519-B1F9-1F1808191EDF"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F45F2A98-7146-4501-B2A7-A376204DCFD2"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1F4CD0E-CB74-4D72-ABDF-97820DE6A595"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BC45B91-2C50-4D9A-9D8D-026249FB4B4B"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FE2B6E7-1066-4D7D-9346-F03487EAE77C"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC04F90C-2813-44F8-B48D-9EAF6E8B78A6"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E305092-2CFD-4A94-BCE5-7F9AAEDB74D2"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "924552C6-BF90-49F1-A562-620196503246"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92EFE814-FA06-487A-8E5F-CD00457334A4"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2AB6AF32-7B4B-4FEB-BE5D-A260852ED0DF"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A93A9113-B3AE-4952-9B98-B296DB7580B7"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F60CAEF4-EDD2-474D-99AE-AFBDE73BBBCE"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29C9CE6E-6330-4346-8989-2A7DA7BFD19A"}, {"criteria": "cpe:2.3:a:memcached:memcached:1.4.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01E082CD-A502-4CD2-8995-2086217205A6"}], "operator": "OR"}]}], "sourceIdentifier": "security@debian.org"}

4.8 /10