Vulnerability-Lookup

CVE-2013-4370 (GCVE-0-2013-4370)

Vulnerability from cvelistv5 – Published: 2013-10-17 23:00 – Updated: 2024-08-06 16:38

Summary

The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GHSA-W68M-2VPJ-2RJG

Vulnerability from github – Published: 2022-05-17 03:07 – Updated: 2022-05-17 03:07

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-4370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-10-17T23:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free.",
  "id": "GHSA-w68m-2vpj-2rjg",
  "modified": "2022-05-17T03:07:11Z",
  "published": "2022-05-17T03:07:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4370"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/10/10/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2013-4370

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2013-4370

Aliases

CVE-2013-4370

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-4370",
    "description": "The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free.",
    "id": "GSD-2013-4370",
    "references": [
      "https://www.suse.com/security/cve/CVE-2013-4370.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-4370"
      ],
      "details": "The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free.",
      "id": "GSD-2013-4370",
      "modified": "2023-12-13T01:22:16.752236Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-4370",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://security.gentoo.org/glsa/glsa-201407-03.xml",
            "refsource": "MISC",
            "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml"
          },
          {
            "name": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch",
            "refsource": "MISC",
            "url": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2013/10/10/13",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2013/10/10/13"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:xen:xen:4.2.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:xen:xen:4.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:xen:xen:4.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:xen:xen:4.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:xen:xen:4.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-4370"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20131010 Xen Security Advisory 69 (CVE-2013-4370) - misplaced free in  ocaml xc_vcpu_getaffinity stub",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2013/10/10/13"
            },
            {
              "name": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch",
              "refsource": "MISC",
              "tags": [],
              "url": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch"
            },
            {
              "name": "GLSA-201407-03",
              "refsource": "GENTOO",
              "tags": [],
              "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2017-01-07T02:59Z",
      "publishedDate": "2013-10-17T23:55Z"
    }
  }
}

CERTFR-2014-AVI-039

Vulnerability from certfr_avis - Published: 2014-01-22 - Updated: 2014-01-22

De multiples vulnérabilités ont été corrigées dans les produits Citrix. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Citrix	XenServer	Citrix XenServer 6.1
Citrix	XenServer	Citrix XenServer 6.0.2
Citrix	XenServer	Citrix XenServer 5.6 Service Pack 1
Citrix	XenServer	Citrix XenServer 5.6 Service Pack 2
Citrix	N/A	Citrix XenClient XT versions antérieures à 3.2
Citrix	XenServer	Citrix XenServer 6.2
Citrix	XenServer	Citrix XenServer 6.0.0
Citrix	XenServer	Citrix XenServer 5.6
Citrix	XenServer	Citrix XenServer 6.2 Service Pack 1

References

Title

Publication Time

FKIE_CVE-2013-4370

Vulnerability from fkie_nvd - Published: 2013-10-17 23:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

	URL	Tags
	secalert@redhat.com	http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch
	secalert@redhat.com	http://security.gentoo.org/glsa/glsa-201407-03.xml
	secalert@redhat.com	http://www.openwall.com/lists/oss-security/2013/10/10/13
	af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch
	af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-201407-03.xml
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2013/10/10/13

Impacted products

Vendor	Product	Version
xen	xen	4.2.0
xen	xen	4.2.1
xen	xen	4.2.2
xen	xen	4.2.3
xen	xen	4.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:xen:xen:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F0AF8EF-6FF6-4E22-B16E-82C9F90C6B00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:xen:xen:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "47640819-FC43-49ED-8A77-728C3D7255B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:xen:xen:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2448537F-87AD-45C1-9FB0-7A49CA31BD76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:xen:xen:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E36B2265-70E1-413B-A7CF-79D39E9ADCFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:xen:xen:4.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF948E6A-07BE-4C7D-8A98-002E89D35F4D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free."
    },
    {
      "lang": "es",
      "value": "El enlace ocaml para la funci\u00f3n xc_vcpu_getaffinity en Xen 4.2.x y 4.3.x libera cierta memoria que a\u00fan podr\u00eda estar destinada a su utilizaci\u00f3n, lo que permite a usuarios locales provocar una denegaci\u00f3n de servicio (corrupci\u00f3n de heap y la ca\u00edda) y posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados que provocan un (1) el uso despu\u00e9s de liberaci\u00f3n o (2) la  doble liberacion"
    }
  ],
  "id": "CVE-2013-4370",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-10-17T23:55:04.533",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2013/10/10/13"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/oss-sec/2013/q4/att-61/xsa69.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2013/10/10/13"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-4370 (GCVE-0-2013-4370)

GHSA-W68M-2VPJ-2RJG

GSD-2013-4370

CERTFR-2014-AVI-039

Solution

FKIE_CVE-2013-4370

Tags

Sightings

Nomenclature