Memcached 1.6.0/1.6.1 memcached.c try_read_command_binary buffer overflow

Summaryinfo

A vulnerability was found in Memcached 1.6.0/1.6.1 and classified as critical. Impacted is the function try_read_command_binary of the file memcached.c. Executing a manipulation can lead to buffer overflow. This vulnerability is tracked as CVE-2020-10931. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Memcached 1.6.0/1.6.1 and classified as critical. This vulnerability affects the function try_read_command_binary of the file memcached.c. The manipulation with an unknown input leads to a buffer overflow vulnerability. The CWE definition for the vulnerability is CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. As an impact it is known to affect availability. CVE summarizes:

Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c.

The weakness was disclosed 03/24/2020. This vulnerability was named CVE-2020-10931 since 03/24/2020. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available.

Upgrading to version 1.6.2 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Memcached

Version

• 1.6.0
• 1.6.1

License

• open-source

Website

• Product: https://github.com/memcached/memcached/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion