CVE-2024-40897

{"id": "CVE-2024-40897", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2024-07-26T06:15:02.290", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/26/1", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://github.com/GStreamer/orc", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}, {"url": "https://gstreamer.freedesktop.org/modules/orc.html", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN02030803/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments."}, {"lang": "es", "value": "Existe una vulnerabilidad de desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria en orcparse.c de versiones de ORC anteriores a la 0.4.39. Si se enga\u00f1a a un desarrollador para que procese un archivo especialmente manipulado con el compilador ORC afectado, se puede ejecutar un c\u00f3digo arbitrario en el entorno de compilaci\u00f3n del desarrollador. Esto puede poner en peligro las m\u00e1quinas de desarrollo o los entornos de compilaci\u00f3n de CI."}], "lastModified": "2024-08-27T13:52:53.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gstreamer:orc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "225518F5-6BD6-4014-ACE0-6A2B50088872", "versionEndExcluding": "0.4.39"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}