Wireshark: BLF file parser crash, wnpa-sec-2023-17
Vulnerability Submission
NOTE: Only maintainers of GitLab-hosted projects may request a CVE for a vulnerability within their project.
Publishing Schedule
After a CVE request is validated, a CVE identifier will be assigned. On what schedule should the details of the CVE be published?
-
Publish immediately -
Wait to publish
reporter:
name: "Gerald Combs"
email: "gerald@wireshark.org"
vulnerability:
description: "BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13
allows denial of service via crafted capture file"
cwe: "CWE-126"
product:
gitlab_path: "wireshark/wireshark"
vendor: "Wireshark Foundation"
name: "Wireshark"
affected_versions:
- ">=4.0.0, <4.0.6"
- ">=3.6.0, <3.6.14"
fixed_versions:
- "4.0.6"
- "3.6.14"
impact: "AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
solution: Upgrade to versions 4.0.6, 3.6.14 or above.
credit: "Huascar Tejeda"
references:
- "https://www.wireshark.org/security/wnpa-sec-2023-17.html"
- "https://gitlab.com/wireshark/wireshark/-/issues/19084"
CVSS scores can be computed by means of the NVD CVSS Calculator.