Vulnerability CVE-2021-22547
Published: 2021-05-04

Description:
In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.

Type:

CWE-120

 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Google -> Cloud iot device sdk for embedded c 

 References:
https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/blob/master/RELEASE-NOTES.md
https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119
Copyright 2024, cxsecurity.com

 

Back to Top