iproute2v4.14.1: 1 vulnerabilities (highest severity is: 4.4)

[mend-for-github-com]

Vulnerable Library - iproute2v4.14.1

Iproute2 routing commands and utilities

Library home page: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git

Vulnerable Source Files (1)

/vendor/iproute2-4.2.0/ip/ipnetns.c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (iproute2v4.14.1 version)	Remediation Possible**
CVE-2019-20795	Medium	4.4	iproute2v4.14.1	Direct	v5.1.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-20795

Vulnerable Library - iproute2v4.14.1

Iproute2 routing commands and utilities

Library home page: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git

Found in base branch: main

Vulnerable Source Files (1)

/vendor/iproute2-4.2.0/ip/ipnetns.c

Vulnerability Details

iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors (such as C library configuration) may block exploitability.

Publish Date: 2020-05-09

URL: CVE-2019-20795

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20795

Release Date: 2020-09-10

Fix Resolution: v5.1.0