A vulnerability was found in Lasso (the affected version unknown). It has been rated as problematic. This issue affects the function get_or_define_ns. The manipulation of the argument prefex with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is availability. The summary by CVE is:

The prefex variable in the get_or_define_ns function in Lasso before commit 6d854cef4211cdcdbc7446c978f23ab859847cdd allows remote attackers to cause a denial of service (uninitialized memory access and application crash) via unspecified vectors.

The bug was discovered 08/25/2017. The weakness was disclosed 08/11/2017 (Website). It is possible to read the advisory at lists.fedoraproject.org. The identification of this vulnerability is CVE-2015-1783 since 02/17/2015. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 82613 (Fedora 21 : lasso-2.4.1-1.fc21 (2015-4807)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks and running in the context l.

Applying the patch 6d854cef4211cdcdbc7446c978f23ab859847cdd is able to eliminate this problem. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (82613).

Productinfo

Name

• Lasso

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion