#VU32448 Resource management error in file - CVE-2014-9621


| Updated: 2020-07-28

Vulnerability identifier: #VU32448

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-9621

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
file
Universal components / Libraries / Libraries used by multiple products

Vendor: Ian F. Darwin

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.

Mitigation
Install update from vendor's website.

Vulnerable software versions

file: 5.16 - 5.21

External links
https://advisories.mageia.org/MGASA-2015-0040.html
https://mx.gw.com/pipermail/file/2014/001654.html
https://mx.gw.com/pipermail/file/2015/001660.html
https://www.openwall.com/lists/oss-security/2015/01/17/9
https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c
https://security.gentoo.org/glsa/201503-08
https://usn.ubuntu.com/3686-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for file
Resource management error in file (Alpine package)
Resource management error in file