CVE-2022-46149 (GCVE-0-2022-46149)

Vulnerability from cvelistv5 – Published: 2022-11-30 00:00 – Updated: 2025-04-23 16:33

Title

Cap'n Proto vulnerable to out-of-bounds read due to logic error handling list-of-list.

Summary

Cap'n Proto is a data interchange format and remote procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE

CWE-125 - Out-of-bounds Read

Assigner

GitHub_M

References

URL

Tags

	https://github.com/capnproto/capnproto/security/a…
	https://github.com/capnproto/capnproto/commit/25d…
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory

Impacted products

	Vendor	Product	Version
	capnproto	capnproto	Affected: < 0.7.1 Affected: >= 0.8.0, < 0.8.1 Affected: >= 0.9.0, < 0.9.2 Affected: >= 0.10.0, < 0.10.3 Affected: >= 0.13.0, < 0.13.7 Affected: >= 0.14.0, < 0.14.11 Affected: >= 0.15.0, < 0.15.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
          },
          {
            "name": "FEDORA-2022-5d37367673",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/"
          },
          {
            "name": "FEDORA-2022-18023b665f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
          },
          {
            "name": "FEDORA-2022-fd7eeedd02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/"
          },
          {
            "name": "FEDORA-2022-7002ec8b22",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-46149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:53:29.015179Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:33:43.499Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "capnproto",
          "vendor": "capnproto",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.7.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.8.0, \u003c 0.8.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.9.0, \u003c 0.9.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.10.0, \u003c 0.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.13.0, \u003c 0.13.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.14.0, \u003c 0.14.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.15.0, \u003c 0.15.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-10T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
        },
        {
          "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
        },
        {
          "name": "FEDORA-2022-5d37367673",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/"
        },
        {
          "name": "FEDORA-2022-18023b665f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
        },
        {
          "name": "FEDORA-2022-fd7eeedd02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/"
        },
        {
          "name": "FEDORA-2022-7002ec8b22",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/"
        }
      ],
      "source": {
        "advisory": "GHSA-qqff-4vw4-f6hx",
        "discovery": "UNKNOWN"
      },
      "title": "Cap\u0027n Proto vulnerable to out-of-bounds read due to logic error handling list-of-list."
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-46149",
    "datePublished": "2022-11-30T00:00:00.000Z",
    "dateReserved": "2022-11-28T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:33:43.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/\", \"name\": \"FEDORA-2022-5d37367673\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/\", \"name\": \"FEDORA-2022-18023b665f\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/\", \"name\": \"FEDORA-2022-fd7eeedd02\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/\", \"name\": \"FEDORA-2022-7002ec8b22\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T14:24:03.395Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-46149\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:53:29.015179Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:53:30.731Z\"}}], \"cna\": {\"title\": \"Cap\u0027n Proto vulnerable to out-of-bounds read due to logic error handling list-of-list.\", \"source\": {\"advisory\": \"GHSA-qqff-4vw4-f6hx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"capnproto\", \"product\": \"capnproto\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.7.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.8.0, \u003c 0.8.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.9.0, \u003c 0.9.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.10.0, \u003c 0.10.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.13.0, \u003c 0.13.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.14.0, \u003c 0.14.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.15.0, \u003c 0.15.2\"}]}], \"references\": [{\"url\": \"https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx\"}, {\"url\": \"https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/\", \"name\": \"FEDORA-2022-5d37367673\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/\", \"name\": \"FEDORA-2022-18023b665f\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/\", \"name\": \"FEDORA-2022-fd7eeedd02\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/\", \"name\": \"FEDORA-2022-7002ec8b22\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-10T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-46149\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T16:33:43.499Z\", \"dateReserved\": \"2022-11-28T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-11-30T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-QQFF-4VW4-F6HX

Vulnerability from github – Published: 2022-12-05 17:58 – Updated: 2022-12-05 17:58

Summary

Cap'n Proto and its Rust implementation vulnerable to out-of-bounds read due to logic error handling list-of-list

Details

The Cap'n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.

Impact

Remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type.
Possible exfiltration of memory, if the victim performs additional certain actions on a list-of-pointer type.
To be vulnerable, an application must perform a specific sequence of actions, described below. At present, we are not aware of any vulnerable application, but we advise updating regardless.

Fixed in

Unfortunately, the bug is present in inlined code, therefore the fix will require rebuilding dependent applications.

C++ fix:

git commit 25d34c67863fd960af34fc4f82a7ca3362ee74b9
release 0.11 (future)
release 0.10.3:
Unix: https://capnproto.org/capnproto-c++-0.10.3.tar.gz
Windows: https://capnproto.org/capnproto-c++-win32-0.10.3.zip
release 0.9.2:
Unix: https://capnproto.org/capnproto-c++-0.9.2.tar.gz
Windows: https://capnproto.org/capnproto-c++-win32-0.9.2.zip
release 0.8.1:
Unix: https://capnproto.org/capnproto-c++-0.8.1.tar.gz
Windows: https://capnproto.org/capnproto-c++-win32-0.8.1.zip
release 0.7.1:
Unix: https://capnproto.org/capnproto-c++-0.7.1.tar.gz
Windows: https://capnproto.org/capnproto-c++-win32-0.7.1.zip
release 0.5.4:
Unix: https://capnproto.org/capnproto-c++-0.5.4.tar.gz
Windows: https://capnproto.org/capnproto-c++-win32-0.5.4.zip

Rust fix:

capnp crate version 0.15.2, 0.14.11, or 0.13.7

Details

A specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.

For an in-depth explanation of how this bug works, see David Renshaw's blog post. This details below focus only on determining whether an application is vulnerable.

In order to be vulnerable, an application must have certain properties.

First, the application must accept messages with a schema in which a field has list-of-pointer type. This includes List(Text), List(Data), List(List(T)), or List(C) where C is an interface type. In the following discussion, we will assume this field is named foo.

Second, the application must accept a message of this schema from a malicious source, where the attacker can maliciously encode the pointer representing the field foo.

Third, the application must call getFoo() to obtain a List<T>::Reader for the field, and then use it in one of the following two ways:

Pass it as the parameter to another message's setFoo(), thus copying the field into a new message. Note that copying the parent struct as a whole will not trigger the bug; the bug only occurs if the specific field foo is get/set on its own.
Convert it into AnyList::Reader, and then attempt to access it through that. This is much less likely; very few apps use the AnyList API.

The dynamic API equivalents of these actions (capnp/dynamic.h) are also affected.

If the application does these steps, the attacker may be able to cause the Cap'n Proto implementation to read beyond the end of the message. This could induce a segmentation fault. Or, worse, data that happened to be in memory immediately after the message might be returned as if it were part of the message. In the latter case, if the application then forwards that data back to the attacker or sends it to another third party, this could result in exfiltration of secrets.

Any exfiltration of data would have the following limitations:

The attacker could exfiltrate no more than 512 KiB of memory immediately following the message buffer.
The attacker chooses in advance how far past the end of the message to read.
The attacker's message itself must be larger than the exfiltrated data. Note that a sufficiently large message buffer will likely be allocated using mmap() in which case the attack will likely segfault.
The attack can only work if the 8 bytes immediately following the exfiltrated data contains a valid in-bounds Cap'n Proto pointer. The easiest way to achieve this is if the pointer is null, i.e. 8 bytes of zero.
The attacker must specify exactly how much data to exfiltrate, so must guess exactly where such a valid pointer will exist.
If the exfiltrated data is not followed by a valid pointer, the attack will throw an exception. If an application has chosen to ignore exceptions (e.g. by compiling with -fno-exceptions and not registering an alternative exception callback) then the attack may be able to proceed anyway.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "capnp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.15.0"
            },
            {
              "fixed": "0.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "capnp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.14.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "capnp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-05T17:58:16Z",
    "nvd_published_at": "2022-11-30T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Cap\u0027n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type \"list of pointers\", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.\n\nImpact\n======\n\n- Remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type.\n- Possible exfiltration of memory, if the victim performs additional certain actions on a list-of-pointer type.\n- To be vulnerable, an application must perform a specific sequence of actions, described below. At present, **we are not aware of any vulnerable application**, but we advise updating regardless.\n\nFixed in\n========\n\nUnfortunately, the bug is present in inlined code, therefore the fix will require rebuilding dependent applications.\n\nC++ fix:\n\n- git commit [25d34c67863fd960af34fc4f82a7ca3362ee74b9][0]\n- release 0.11 (future)\n- release 0.10.3:\n  - Unix: https://capnproto.org/capnproto-c++-0.10.3.tar.gz\n  - Windows: https://capnproto.org/capnproto-c++-win32-0.10.3.zip\n- release 0.9.2:\n  - Unix: https://capnproto.org/capnproto-c++-0.9.2.tar.gz\n  - Windows: https://capnproto.org/capnproto-c++-win32-0.9.2.zip\n- release 0.8.1:\n  - Unix: https://capnproto.org/capnproto-c++-0.8.1.tar.gz\n  - Windows: https://capnproto.org/capnproto-c++-win32-0.8.1.zip\n- release 0.7.1:\n  - Unix: https://capnproto.org/capnproto-c++-0.7.1.tar.gz\n  - Windows: https://capnproto.org/capnproto-c++-win32-0.7.1.zip\n- release 0.5.4:\n  - Unix: https://capnproto.org/capnproto-c++-0.5.4.tar.gz\n  - Windows: https://capnproto.org/capnproto-c++-win32-0.5.4.zip\n\nRust fix:\n\n- `capnp` crate version `0.15.2`, `0.14.11`, or `0.13.7`\n\n[0]: https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9\n\nDetails\n=======\n\nA specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.\n\nFor an in-depth explanation of how this bug works, see [David Renshaw\u0027s blog post](https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html). This details below focus only on determining whether an application is vulnerable.\n\nIn order to be vulnerable, an application must have certain properties.\n\nFirst, the application must accept messages with a schema in which a field has list-of-pointer type. This includes `List(Text)`, `List(Data)`, `List(List(T))`, or `List(C)` where `C` is an interface type. In the following discussion, we will assume this field is named `foo`.\n\nSecond, the application must accept a message of this schema from a malicious source, where the attacker can maliciously encode the pointer representing the field `foo`.\n\nThird, the application must call `getFoo()` to obtain a `List\u003cT\u003e::Reader` for the field, and then use it in one of the following two ways:\n\n1. Pass it as the parameter to another message\u0027s `setFoo()`, thus copying the field into a new message. Note that copying the parent struct as a whole will *not* trigger the bug; the bug only occurs if the specific field `foo` is get/set on its own.\n\n2. Convert it into `AnyList::Reader`, and then attempt to access it through that. This is much less likely; very few apps use the `AnyList` API.\n\nThe dynamic API equivalents of these actions (`capnp/dynamic.h`) are also affected.\n\nIf the application does these steps, the attacker may be able to cause the Cap\u0027n Proto implementation to read beyond the end of the message. This could induce a segmentation fault. Or, worse, data that happened to be in memory immediately after the message might be returned as if it were part of the message. In the latter case, if the application then forwards that data back to the attacker or sends it to another third party, this could result in exfiltration of secrets.\n\nAny exfiltration of data would have the following limitations:\n\n* The attacker could exfiltrate no more than 512 KiB of memory immediately following the message buffer.\n  * The attacker chooses in advance how far past the end of the message to read.\n  * The attacker\u0027s message itself must be larger than the exfiltrated data. Note that a sufficiently large message buffer will likely be allocated using mmap() in which case the attack will likely segfault.\n* The attack can only work if the 8 bytes immediately following the exfiltrated data contains a valid in-bounds Cap\u0027n Proto pointer. The easiest way to achieve this is if the pointer is null, i.e. 8 bytes of zero.\n  * The attacker must specify exactly how much data to exfiltrate, so must guess exactly where such a valid pointer will exist.\n  * If the exfiltrated data is not followed by a valid pointer, the attack will throw an exception. If an application has chosen to ignore exceptions (e.g. by compiling with `-fno-exceptions` and not registering an alternative exception callback) then the attack may be able to proceed anyway.",
  "id": "GHSA-qqff-4vw4-f6hx",
  "modified": "2022-12-05T17:58:16Z",
  "published": "2022-12-05T17:58:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
    },
    {
      "type": "WEB",
      "url": "https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/capnproto/capnproto"
    },
    {
      "type": "WEB",
      "url": "https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0068.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cap\u0027n Proto and its Rust implementation vulnerable to out-of-bounds read due to logic error handling list-of-list"
}

FKIE_CVE-2022-46149

Vulnerability from fkie_nvd - Published: 2022-11-30 17:15 - Updated: 2024-11-21 07:30

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx	Patch, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/
af854a3a-2127-422b-91ae-364da2661108	https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/

Impacted products

Vendor	Product	Version
capnproto	capnproto	*
capnproto	capnproto	*
capnproto	capnproto	*
capnproto	capnproto	0.8.0
capnproto	capnp	*
capnproto	capnp	*
capnproto	capnp	*
fedoraproject	fedora	36
fedoraproject	fedora	37

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D329C641-F7C9-4A6F-8398-BC0A36227B7A",
              "versionEndExcluding": "0.7.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F23D31E1-3EC5-4BA9-BD74-D27A6FA809DE",
              "versionEndExcluding": "0.9.2",
              "versionStartIncluding": "0.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "99639291-62E7-4D6E-97E4-C673B77A4FA9",
              "versionEndExcluding": "0.10.3",
              "versionStartIncluding": "0.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:capnproto:capnproto:0.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "91549D17-7798-4A38-B7B9-E6A0417063E9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:capnproto:capnp:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "893E526B-29B6-4FEE-A447-EDDF585FEB52",
              "versionEndExcluding": "0.13.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:capnproto:capnp:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "AA32CD2C-881D-4D86-BF91-B95E33A88B34",
              "versionEndExcluding": "0.14.11",
              "versionStartIncluding": "0.14.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:capnproto:capnp:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "1A3D361A-8BCB-4E0F-A4E3-53F989AAC9FC",
              "versionEndExcluding": "0.15.2",
              "versionStartIncluding": "0.15.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
              "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2."
    },
    {
      "lang": "es",
      "value": "Cap\u0027n Proto es un formato de intercambio de datos y un sistema de llamada a procedimiento remoto (RPC). Cap\u0027n Proro anterior a las versiones 0.7.1, 0.8.1, 0.9.2 y 0.10.3, as\u00ed como las versiones de la implementaci\u00f3n Rust de Cap\u0027n Proto anteriores a 0.13.7, 0.14.11 y 0.15.2 son vulnerable a lecturas fuera de l\u00edmites debido a un error l\u00f3gico al manejar la lista de listas. Este problema puede llevar a que alguien segmente remotamente a un par envi\u00e1ndole un mensaje malicioso, si la v\u00edctima realiza ciertas acciones en un tipo de lista de punteros. La exfiltraci\u00f3n de memoria es posible si la v\u00edctima realiza ciertas acciones adicionales en un tipo de lista de punteros. Para ser vulnerable, una aplicaci\u00f3n debe realizar una secuencia espec\u00edfica de acciones, descrita en el Aviso de seguridad de GitHub. El error est\u00e1 presente en el c\u00f3digo integrado, por lo que para solucionarlo ser\u00e1 necesario reconstruir las aplicaciones dependientes. Cap\u0027n Proto tiene correcciones de C++ disponibles en las versiones 0.7.1, 0.8.1, 0.9.2 y 0.10.3. La caja Rust `capnp` tiene correcciones disponibles en las versiones 0.13.7, 0.14.11 y 0.15.2."
    }
  ],
  "id": "CVE-2022-46149",
  "lastModified": "2024-11-21T07:30:12.407",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-30T17:15:10.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2022-46149

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-46149

Aliases

CVE-2022-46149

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-46149",
    "id": "GSD-2022-46149",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-46149.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-46149"
      ],
      "details": "Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2.",
      "id": "GSD-2022-46149",
      "modified": "2023-12-13T01:19:38.308550Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-46149",
        "STATE": "PUBLIC",
        "TITLE": "Cap\u0027n Proto vulnerable to out-of-bounds read due to logic error handling list-of-list."
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "capnproto",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.7.1"
                        },
                        {
                          "version_value": "\u003e= 0.8.0, \u003c 0.8.1"
                        },
                        {
                          "version_value": "\u003e= 0.9.0, \u003c 0.9.2"
                        },
                        {
                          "version_value": "\u003e= 0.10.0, \u003c 0.10.3"
                        },
                        {
                          "version_value": "\u003e= 0.13.0, \u003c 0.13.7"
                        },
                        {
                          "version_value": "\u003e= 0.14.0, \u003c 0.14.11"
                        },
                        {
                          "version_value": "\u003e= 0.15.0, \u003c 0.15.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "capnproto"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-125: Out-of-bounds Read"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx",
            "refsource": "CONFIRM",
            "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
          },
          {
            "name": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9",
            "refsource": "MISC",
            "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
          },
          {
            "name": "FEDORA-2022-5d37367673",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/"
          },
          {
            "name": "FEDORA-2022-18023b665f",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
          },
          {
            "name": "FEDORA-2022-fd7eeedd02",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/"
          },
          {
            "name": "FEDORA-2022-7002ec8b22",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qqff-4vw4-f6hx",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.13.7||\u003e=0.14.0 \u003c0.14.11||\u003e=0.15.0 \u003c0.15.2",
          "affected_versions": "All versions before 0.13.7, all versions starting from 0.14.0 before 0.14.11, all versions starting from 0.15.0 before 0.15.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-125",
            "CWE-937"
          ],
          "date": "2023-02-10",
          "description": "Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 is vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2.",
          "fixed_versions": [
            "0.13.7",
            "0.14.11",
            "0.15.2"
          ],
          "identifier": "CVE-2022-46149",
          "identifiers": [
            "CVE-2022-46149",
            "GHSA-qqff-4vw4-f6hx"
          ],
          "not_impacted": "All versions starting from 0.13.7 before 0.14.0, all versions starting from 0.14.11 before 0.15.0, all versions starting from 0.15.2",
          "package_slug": "conan/capnproto",
          "pubdate": "2022-11-30",
          "solution": "Unfortunately, there is no solution available on conan yet.",
          "title": "Out-of-bounds Read",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-46149",
            "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9",
            "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
          ],
          "uuid": "7f5eefbb-71e2-49c8-b074-fe83b8586f0d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.9.2",
                "versionStartIncluding": "0.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.7.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnproto:0.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.10.3",
                "versionStartIncluding": "0.10.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnp:*:*:*:*:*:rust:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.15.2",
                "versionStartIncluding": "0.15.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnp:*:*:*:*:*:rust:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.14.11",
                "versionStartIncluding": "0.14.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:capnproto:capnp:*:*:*:*:*:rust:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.13.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-46149"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cap\u0027n Proto is a data interchange format and remote procedure call (RPC) system. Cap\u0027n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap\u0027n Proto\u0027s Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap\u0027n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-125"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
            },
            {
              "name": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
            },
            {
              "name": "FEDORA-2022-5d37367673",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/"
            },
            {
              "name": "FEDORA-2022-18023b665f",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/"
            },
            {
              "name": "FEDORA-2022-7002ec8b22",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/"
            },
            {
              "name": "FEDORA-2022-fd7eeedd02",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2023-02-10T18:49Z",
      "publishedDate": "2022-11-30T17:15Z"
    }
  }
}

cve-2022-46149

Vulnerability from osv_rustsec

Published

2022-11-30 12:00

Modified

2022-11-30 22:16

Summary

out-of-bounds read possible when setting list-of-pointers

Details

If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.

The C++ Cap'n Proto library is also affected by this bug. See the advisory on the main Cap'n Proto repo for a succinct description of the exact circumstances in which the problem can arise.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-exposure"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "capnp",
        "purl": "pkg:cargo/capnp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.13.7"
            },
            {
              "introduced": "0.14.0-0"
            },
            {
              "fixed": "0.14.11"
            },
            {
              "introduced": "0.15.0-0"
            },
            {
              "fixed": "0.15.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2022-46149",
    "GHSA-qqff-4vw4-f6hx"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "If a message consumer expects data\nof type \"list of pointers\",\nand if the consumer performs certain specific actions on such data,\nthen a message producer can cause the consumer to read out-of-bounds memory.\nThis could trigger a process crash in the consumer,\nor in some cases could allow exfiltration of private in-memory data.\n\nThe C++ Cap\u0027n Proto library is also affected by this bug.\nSee the [advisory](https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md)\non the main Cap\u0027n Proto repo for a succinct description of\nthe exact circumstances in which the problem can arise.",
  "id": "RUSTSEC-2022-0068",
  "modified": "2022-11-30T22:16:39Z",
  "published": "2022-11-30T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/capnp"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0068.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md"
    },
    {
      "type": "WEB",
      "url": "https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "out-of-bounds read possible when setting list-of-pointers"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-46149 (GCVE-0-2022-46149)

GHSA-QQFF-4VW4-F6HX

Impact

Fixed in

Details

FKIE_CVE-2022-46149

GSD-2022-46149

cve-2022-46149

Vulnerability from osv_rustsec

Tags

Sightings

Nomenclature