[Japanese]

JVNDB-2024-000076

SDoP contains a stack-based buffer overflow vulnerability.

Overview

SDoP fails to handle appropriately some parameters inside the input data, resulting in a stack-based buffer overflow vulnerability (CWE-121).

Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.0 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Philip Hazel
  • SDoP versions prior to 1.11

Impact

When a user of the affected product is tricked to process a specially crafted XML file, an arbitrary code may be executed on the user's environment.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has added the commit to fix the vulnerability in SDoP repository, named as version 1.11.
Vendor Information

Philip Hazel
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-41881
References

  1. JVN : JVN#16420523
Revision History

  • [2024/07/29]
      Web page was published

Date Public2024/07/29
Date First Published2024/07/29
Date Last Updated2024/07/29