CVE-2019-13619

high-risk

Published 2019-07-17

In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash. This was addressed in epan/asn1.c by properly restricting buffer increments.

Do I need to act?

9.8% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (9)

Wireshark

Fedora

Ubuntu Linux

Debian Linux

Leap

Affected Vendors

Debian Canonical Fedoraproject Wireshark Opensuse

References (20)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00068.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html

Third Party Advisory http://www.securityfocus.com/bid/109293

Exploit https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15870

https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=7e90aed6...

Mailing List https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://usn.ubuntu.com/4133-1/

Vendor Advisory https://www.wireshark.org/security/wnpa-sec-2019-20.html