mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #43
Closed mend-for-github-com[bot] closed 1 year ago
mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #43
mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #43
Event notification library
Library home page: https://github.com/libevent/libevent.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Vulnerabilities
Details
CVE-2016-10195
### Vulnerable Library - libeventrelease-2.0.18-stableEvent notification library
Library home page: https://github.com/libevent/libevent.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsThe name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.
Publish Date: 2017-03-15
URL: CVE-2016-10195
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6797
Release Date: 2017-03-15
Fix Resolution: 2.1.6
CVE-2016-10197
### Vulnerable Library - libeventrelease-2.0.18-stableEvent notification library
Library home page: https://github.com/libevent/libevent.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsThe search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.
Publish Date: 2017-03-15
URL: CVE-2016-10197
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6797
Release Date: 2017-03-15
Fix Resolution: 2.1.6
CVE-2016-10196
### Vulnerable Library - libeventrelease-2.0.18-stableEvent notification library
Library home page: https://github.com/libevent/libevent.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsStack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.
Publish Date: 2017-03-15
URL: CVE-2016-10196
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6797
Release Date: 2017-03-15
Fix Resolution: 2.1.6
CVE-2015-6525
### Vulnerable Library - libeventrelease-2.0.18-stableEvent notification library
Library home page: https://github.com/libevent/libevent.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsMultiple integer overflows in the evbuffer API in Libevent 2.0.x before 2.0.22 and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_prepend, (3) evbuffer_expand, (4) exbuffer_reserve_space, or (5) evbuffer_read function, which triggers a heap-based buffer overflow or an infinite loop. NOTE: this identifier was SPLIT from CVE-2014-6272 per ADT3 due to different affected versions.
Publish Date: 2015-08-24
URL: CVE-2015-6525
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6525
Release Date: 2015-08-24
Fix Resolution: 2.0.22,2.1.5-beta
CVE-2014-6272
### Vulnerable Libraries - libeventrelease-2.0.18-stable, libeventrelease-2.0.18-stable
### Vulnerability DetailsMultiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later.
Publish Date: 2015-08-24
URL: CVE-2014-6272
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-6272
Release Date: 2015-08-24
Fix Resolution: 1.4.15,2.0.22,2.1.5-beta
WS-2017-3802
### Vulnerable Library - libeventrelease-2.0.18-stableEvent notification library
Library home page: https://github.com/libevent/libevent.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsIn libevent in versions release-1.4.0-beta to release-2.1.5-beta is vulnerable to stack overread vulnerability in evdns.c
Publish Date: 2017-04-24
URL: WS-2017-3802
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/112632
Release Date: 2017-04-24
Fix Resolution: release-2.1.6-beta