Vulnerability CVE-2013-7290
Published: 2014-01-13   Modified: 2014-01-14

Description:
The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr, a different vulnerability than CVE-2013-0179.

See advisories in our WLB2 database:
Topic
Author
Date
High
memcached 1.4.4 Remote Code Execution
jeremy
14.01.2014

Type:

CWE-119

 (Improper Restriction of Operations within the Bounds of a Memory Buffer)

CVSS2 => (AV:A/AC:H/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.8/10
2.9/10
3.2/10
Exploit range
Attack complexity
Authentication
Adjacent network
High
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial
Affected software
Memcached -> Memcached 

 References:
http://www.securityfocus.com/bid/64988
https://code.google.com/p/memcached/issues/detail?id=306
https://code.google.com/p/memcached/wiki/ReleaseNotes1417
Copyright 2024, cxsecurity.com

 

Back to Top